Cyber Risk News
Global firms could lose over $5tr to cybercrime over the next five years, a new Accenture study has warned.
The consulting giant interviewed over 1700 CEOs and other C-suite executives to compile its report, Securing the Digital Economy: Reinventing the Internet for Trust.
It claimed that as businesses become more dependent on complex web-based models, their ability to innovate and grow securely cannot keep up.
In fact, over three-quarters (79%) claimed that the growth of the digital economy will be held back unless internet security is dramatically improved, while 59% said they don’t know how to react to growing instability.
Most at risk over the next five years are hi-tech companies, which could face losses of $753bn, followed by those in life sciences ($642bn) and automotive ($505bn).
Nearly four-fifths (79%) claimed their organization is adopting new technologies faster than they can secure them, while 80% said third-party threats are increasingly difficult to mitigate.
Only 30% of those polled said they were very confident in their own cybersecurity.
“Strengthening internet security requires decisive — and, at times, unconventional — leadership by CEOs, not just CISOs,” argued Accenture CMT lead, Omar Abbosh. “To become a cyber-resilient enterprise, companies need to start by bringing CISOs’ expertise to the board, ensuring security is built-in from the initial design stage and that all business managers are held responsible for security and data privacy.”
Over half of respondents (56%) said they’d welcome stricter business regulations in the cybersecurity sphere, while three-quarters (75%) claimed that addressing security concerns will require a group effort.
That’s why Accenture is recommending business leaders focus on improved collaboration with their peers, government officials and regulators, as well as improving baseline security across the supply chain.
“No organization can tackle the challenges posed by cyber-threats on its own; it’s a global challenge that needs a global response, and collaboration is key,” explained Accenture Security senior managing director, Kelly Bissell.
“To shape a future that thrives on a strong and trustworthy digital economy, senior executives need to look beyond the bounds of their organization, team with an ecosystem of partners, and secure their entire value chains — across every partner, supplier and customer.”
The Democratic National Committee (DNC) has claimed that one of the same Russian hacking groups blamed for leaking sensitive information in 2016 targeted its employees again just days after the 2018 midterm elections.
In court documents filed at the weekend, the DNC said that the group known as Cozy Bear (aka APT29/The Dukes) posed as a State Department official in spear-phishing emails sent to dozens of its employees.
The emails were booby-trapped with a malware-laden PDF designed to provide access to the victim’s machine.
“In November 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the filing noted.
“The content of these emails and their timestamps were consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Russian intelligence. Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018.”
The revelations are part of a civil suit filed by the DNC against the Kremlin, Julian Assange and WikiLeaks, the Trump campaign, and others. It details an alleged conspiracy to win Trump the presidency by stealing sensitive DNC documents and leaking them ahead of the 2016 election.
The Kremlin has already argued for it to be thrown out, claiming that even if it did hack the DNC, this activity would fall under military operations and therefore be immune from civil claims.
In July 2018, special counsel Robert Mueller indicted 12 alleged Russian intelligence officers for their part in this 2016 operation.
That followed a February charge against 13 Russian nationals and three Russian companies for the alleged role they played in online disinformation and influence campaigns ahead of the election.
A recently discovered trove of breached data is just a small part of a major 871GB haul up for sale on the dark web which could contain billions of records, according to experts.
The 87GB Collection #1 dump was first publicized late last week when noted researcher Troy Hunt was alerted to the files hosted on a popular cloud site. After cleaning up the data he found it contained nearly 773 million unique email addresses and over 21 million “dehashed” passwords.
It has since emerged that this data is two to three years old, gathered from multiple sources, and that the same seller, dubbed ‘Sanixer’ on Telegram, has much more recently obtained data to sell.
Authentication security vendor, Authlogics, claims to have the data from Collection #2, 3, 4, and 5 in its possession and is loading it into its breached password database.
It estimates the new trove of data comes to roughly 784GB, nine-times the size of Collection #1, and could contain over seven billion records in its raw state.
In fact, Sanixer may have even more breached and leaked data to sell: the cyber-criminal told researcher Brian Krebs that taken together, all the other packages they have up for sale are less than a year old and total over 4TB in size.
These include one dubbed “ANTIPUBLIC #1” and another titled “AP MYR&ZABUGOR #2.”
The bottom line is that users need to invest in password managers to store and support long-and-strong unique credentials for all the main sites/accounts they have online, and to opt for multi-factor authentication where it’s available.
One security vendor warned in its 2019 predictions report at the end of last year that credential stuffing tools would become increasingly popular among the black hat community as they look to monetize troves of breached data.
“Because of the volume of data breaches in the past years and the likelihood that cyber-criminals will find a lot of users recycling passwords across several websites, we believe that we will see a surge in fraudulent transactions using credentials obtained by cyber-criminals from data breaches,” Trend Micro claimed.
“Cyber-criminals will use breached credentials to acquire real-world advantages such as registering in mileage and rewards programs to steal the benefits. They will also use these accounts to register trolls on social media for cyber-propaganda, manipulate consumer portals by posting fake reviews, or add fake votes to community-based polls — the applications are endless.”
The new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura.
The Fallout exploit kit (EK) took a little respite over the first few weeks of 2019, but it has returned, this time using CVE-2018-15982, along with HTTPS support, a new landing page format, and Powershell to run its payloads. In addition, Seguara said the team has seen an increase in RIG EK campaigns, which he suspects might have been an effort to fill that temporary void.
As the malware has returned to business, it continues to spread using malvertising chains. In September 2018, FireEye wrote that the Fallout EK was discovered affecting mostly countries in the Asia Pacific region. Though it did distribute SmokeLoader in Japan, the malware then shifted to dropping GandCrab in the Middle East.
When the malware was detected again in October 2018, the EK was being used in the HookAds campaign, which delivered victims to a fraudulent dating page, according to Malware-Traffic-Analysis.net, which also noted that the first payload was the Minotaur ransomware, followed by AZORult during the second and third runs.
Since Fallout EK's return, Malwarebytes researchers have discovered the malware is delivering the GandCrab ransomware, though it delivers its payload via Powershell, as opposed to iexplore.exe. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” Segura wrote.
"What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques," he continued. "In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proofs of concept. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer.”
Malicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps.
Both the currency converter and the battery-saving app have been removed from Google Play, but not before they were downloaded thousands of times. The battery app, BatterySaverMobi, even had 73 reviews resulting in a 4.5 star rating, making it appear all the more legitimate.
“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain aserogeege.space, which is linked to Anubis as well,” researchers wrote.
The apps were reportedly able to evade detection by using the device's motion sensor data.
The malware authors assume that the device is scanning for malware, so they created an emulator with no motion sensors that monitors the user’s steps so that they check for sensor data to determine whether the app is running in a sandbox environment. If it is, the malicious code does not run.
If it does run, though, the user receives a fraudulent prompt, alerting them that a system update is available.
“Here’s more proof that criminals are following users to mobile devices and investing more time and effort in attempting to exploit them. As hard as organizations might work to secure their customers’ mobile experiences, attackers work just as hard to innovate and find ways to take advantage,” said Sam Bakken, senior product marketing manager, OneSpan.
“This is why it’s imperative to give app developers a leg up with one-stop mobile app security tools that allow them to build security into mobile apps from the start, which will save them time and effort and save financial institutions and other purveyors of high-value mobile services money in terms of reduced fraud and maintaining consumer trust in their brand. In addition, meeting attackers’ innovations with mobile app security innovations such as App Shielding – which proactively detects and defends against a variety of nefarious activities executed by mobile banking Trojans such as this one – is another step in the right direction for what will be an ongoing battle.”
A new strain of yet another ransomware campaign has been discovered in which the malicious actors have expanded payment options beyond Bitcoin; they are instead offering alternatives (such as PayPal) that include a phishing link, according to MalwareHunterTeam.
Attackers are stealing a page from Daedalus and are killing two birds with one stone by including a link to make a payment. To obtain the decryption key, victims can follow the link to the PayPal phishing page, where their login credentials are stolen. The combination of two threat vectors makes this attack particularly dangerous for unsuspecting victims.
The new attack method combines “a ransom note that direct victims to a PayPal phishing page...Clicking on the Buy Now button, it directs to the credit card part of the phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished,” the team tweeted. Once that payment is processed, the victim receives a confirmation.
For victims who pay with Bitcoin, the threat actors also requested that victims send an email with a reference number, which is provided in the ransom.
“Malicious actors are continually becoming more sophisticated. With this particular campaign involving phishing as an immediate follow-up threat vector to the ransomware, this attack has the potential to cause significant harm,” said DomainTools’ senior security adviser, Corin Imai.
“Not only will victims be dealing with the impact of ransomware, but many will also be directed to a carefully crafted phishing site that will attempt to steal their credentials. As seen in past attacks, ransomware campaigns have targeted individuals with the threat of releasing compromising content or rendering their computers useless, leaving victims feeling that they have no choice but to pay up. The best advice in this scenario is to be hyper-vigilant, double-check URLs, and when in doubt, don’t click.”
The third annual CyberFirst Girls competition will kick off on Monday as GCHQ looks to help address a chronic gender imbalance and skills shortage in the industry.
Over the past two years, the intelligence service’s National Cyber Security Centre (NCSC) has managed to attract 12,500 female pupils from schools across the UK to take part.
Teams of up to four plus a teacher or mentor can enter, with girls in Year 8 in England and Wales, S2 in Scotland and Year 9 in Northern Ireland (12-13-years-old) able to participate.
They’ll face a week of online challenges in four key areas — cryptography, cybersecurity, logic and coding and networking — with the top 10 teams competing face-to-face at a grand final in Edinburgh in March.
Participants are also able to apply for a place on CyberFirst Girls Defenders: free four-day residential and non-residential courses taking place in April-May and designed to teach further skills in how to build and protect small networks and personal devices.
James Hadley, CEO of Immersive Labs, welcomed the initiatives as helping to encourage a new generation of cybersecurity talent.
"In my experience, men and women have distinctly different approaches to problem-solving in cyber. Women are typically more methodical — which allows them to take a long-term and determined approach to finding a resolution and complements men's slightly faster-moving approach,” he added.
“In the long term, this initiative will also set the groundwork for building a network of like-minded people to encourage and support one another when starting out in the space.”
Attracting more gender diversity into the information security industry has been a challenge for years. Today just 24% of the global workforce are women, yet the sector as a whole suffers from shortages reaching nearly three million professionals.
Government figures published in December last year claimed that over half (57%) of all UK firms and charities have a “basic technical cybersecurity skills gap.”
It’s a situation predicted to get worse if the UK leaves the European Union as it has signaled this year.
Last month, the government released a new skills strategy in an effort to reduce skills shortfalls and promised new UK Cyber Security Council will receive £2.5m of public funding to help in its mission to “lay the structural foundations” of the profession.
However, it has been criticized in the past by MPs, for failing to address the immediate challenges facing businesses in the critical national infrastructure sector.
Facebook has removed hundreds of fake Pages and accounts after spotting a coordinated effort by Russian state-linked actors to spread disinformation in Ukraine and other former Soviet countries.
There were two linked campaigns: the first targeting Romania, Latvia, Estonia, Lithuania, Armenia, Azerbaijan, Georgia, Tajikistan, Uzbekistan, Kazakhstan, Moldova, Russia and Kyrgyzstan.
Although purporting to be independent or general interest Pages on topics ranging from weather and travel to politics, they were actually run by employees of Kremlin news agency Sputnik, according to Facebook’s head of cybersecurity policy, Nathaniel Gleicher.
The 289 fake Pages and 75 spoof accounts posted disinformation on local corruption and protests, and anti-NATO sentiment, spending $135,000 on ads, hosting 190 events and attracting 790,000 followers.
Facebook also removed 107 Pages, Groups and accounts and 41 Instagram accounts for similar “coordinated inauthentic behavior” targeting Ukrainians. Account holders pretended to be regular Ukrainian netizens, attracting 180,000 followers and spending $25,000 on ads.
This campaign apparently shared similar characteristics to the disinformation blitz carried out by the Internet Research Agency (IRA) ahead of the US mid-terms last year and the 2016 presidential election.
“We’re taking down these Pages and accounts based on their behavior, not the content they post. In these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action,” said Gleicher.
“While we are making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well-funded.”
The accounts effectively promoted Sputnik content and that of its parent company, state-run Rossiya Segodnya, whilst hiding its true source. The effect was to increase Sputnik’s reach in the countries covered by 170%, according to the Digital Forensic Research Lab.
“Most posts were apolitical, but some, especially in the Baltic States, were sharply political, anti-Western, and anti-NATO,” the body said.
Things could be about to get even worse for Huawei after a report claimed the US Department of Justice is readying an indictment against the firm for IP theft against global partner companies.
One of these is T-Mobile. That case has already been tried in a civil court in 2017, with a federal jury in Seattle siding with the US mobile carrier in finding Huawei liable for the theft of robotic technology it was developing.
The incident happened in 2014, when a Huawei engineer stole part of T-Mobile’s smartphone testing “Tappy” robot, whilst visiting its Bellevue lab as an industry partner.
Now the DoJ is reportedly flexing its muscles, with a criminal investigation into more widespread IP theft by the Shenzhen giant. An indictment could come soon, a person familiar with the matter told the WSJ.
It comes as CFO and daughter of Huawei’s founder, Meng Wanzhou, remains under house arrest in Vancouver awaiting extradition to the US.
This is said to be linked to another criminal investigation, into whether she conspired to trick US banks into unwittingly breaking sanctions on Iran by claiming Huawei subsidiary Skycom was a separate business.
All this comes as governments around the world continue to reassess whether Huawei represents a national security risk as a provider of 5G network equipment.
Although it has protested its innocence on numerous occasions, claiming it’s a victim of geopolitics, the US, New Zealand, Australia, Japan and others have banned or are restricting the firm.
In Poland, the government is mulling whether to change the law to do the same after a sales director in the country was arrested on suspicious of spying.
The German government this week became the latest to consider a ban on Huawei 5G products on national security grounds.
With 5G set to play a key role in critical infrastructure for years to come, the fear is that Huawei may be forced to do the bidding of the Chinese government in the future to provide it with a strategic advantage.
An attack leveraging the open-source Build Your Own Botnet (BYOB) framework has reportedly been intercepted by Israeli cybersecurity firm Perception Point’s incident response team. According to the team, this appears to be the first time the BYOB framework has been found to be used for fraudulent activity in the wild.
While these tactics and techniques have historically been limited in used to financially backed advanced persistent threat (APT) groups, they are now more easily accessed by novice criminals, in part because of the more widespread popularity of plug-and-play hacking kits, researchers said.
In July, a BYOB framework that implements all the building blocks needed to build a botnet was developed to improve cybersecurity defenses; however, what is used by defense can also fall into the hands of those with more malicious intentions. The continued growth of these hacking kits allows any script kiddie or malicious attacker to leverage this framework and carry out attacks that otherwise wouldn’t be possible.
According to the team’s email analysis, victims received an email with an HTML attachment containing both a link to a phishing site impersonating the Office 365 login page and script code that automatically downloaded malware to the victim’s computer. The payload then awaits command after connecting to the attackers server.
Credit: Perception Point
“The attack we intercepted was a targeted email attack against one of our clients. It was distributed via the email channel so the extent of it is to whomever the attacker chose to send it to. The nature of the tool [BYOB] used in the attack is mass remote control; therefore, we presume that this wasn't a single email sent, and we expect that others might have been compromised by this attack as well,” said Shlomi Levin, co-founder and CTO, Perception Point.
“The attack was easily prepared using the BYOB framework; hence, it doesn't cost the attacker much investment, so I would expect to see more BYOB used in the future.”
Despite a 28% decrease in cybersecurity startups during 2017, global venture capital funding for cybersecurity rebounded with record high investments, according to Strategic Cyber Ventures.
Though last year saw $5.3 billion in cybersecurity global ventures, Strategic Cyber Ventures called this an unsustainable investment rate.
Over half of cybersecurity founders of new startups have more than a decade of executive or entrepreneurial experience, as opposed to the past two years in which there was nearly an even split between experienced founders and less-seasoned founders, the report found.
In fact, 2018 was the fifth consecutive year in which Israel enjoyed increasing round sizes at the seed stage. Additionally, the amount of funding across all stages increased, keeping the recent trend of fewer companies raising larger amounts of capital moving forward.
Though there were emerging fields among new startups in 2018, including cybersecurity solutions for cryptocurrencies and software-defined perimeter (SDP), the most overwhelmingly funded field across all stages was internet of things (IoT) security. Though most startups were within the SCADA and medical devices sub-domains, other emerging fields included threat detection, security operations, data protection and cloud security.
Nevertheless, the report said, “In cybersecurity, there are likely many zombies out there. They’ve raised big rounds, growth has slowed, perhaps due to vendor fatigue or increased competition, and now these companies can’t raise at increased valuations from prior rounds, or at all, and are being propped up by existing investors that will eventually grow weary of keeping them alive. These companies will eventually float to the surface over the next few years with less than desirable outcomes for investors and founders.”
According to Chris Ahern, principal, Strategic Cyber Ventures, "We’ve seen massive funds formed over the past few years and some of that money is making its way to cybersecurity deals. Second, we’ve seen some strong exits in the space through IPOs and M&A over the last couple of years."
The problems aren’t going away. 2018 had several massive, high-profile breaches and we’ll continue to see this into 2018 as well as a continued discussion around privacy. The real question is whether it’s a good thing that 2018 was a record year for cybersecurity investment.”
Another California-based communications provider has announced a potential security incident, as VOIPo confessed that it left a database containing seven million call logs, six million text messages and other internal documents containing unencrypted passwords unprotected without a password.
After security researcher Justin Paine notified the company, he wrote, “This database was promptly secured after I notified the company. I would like to thank VOIPo for their quick assistance in securing this data.”
In the security notice shared with customers, VOIPo wrote: “We were made aware of a development server that was exposed for a small window of time. When it was discovered, it was taken offline within 15 minutes of being notified by Cloudflare that they had discovered it. It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data."
VOIPo said the dev server was isolated and no other network was at risk because additional production systems are firewalled so that any connection to those systems would not have been possible. However, these statements have been called "misleading" on Twitter.
The VOIPo database reportedly had been exposed since June 2018 and contains call and message logs dating back to May 2015. The news comes only two months after a database misconfiguration at San Diego–based Voxox leaked 26 million text messages. As was the case in the Voxox breach, if text messages containing two-factor authentication (2FA) codes or password reset links were intercepted, they could have allowed the attacker to hijack a user’s account.
“It does not take much for outsiders to find unsecured databases and access sensitive information,” said Stephan Chenette, CTO and co-founder, AttackIQ. “In fact, there are now tools designed to detect misconfigurations within cloud tools like Amazon's S3. Misconfigured security controls are an all-too-common problem. Organizations are increasingly struggling with limited and under-trained IT resources that lead to using default account passwords, unpatched systems and poorly configured network devices.”
Although VOIPo claims there is no evidence to indicate a breach occurred, “the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months,” said Ruchika Mishra, director of products and solutions, Balbix.
The vast majority of senior decision makers across the globe expect data theft and cyber-disruption to increase in 2019, according to the latest report from the World Economic Forum (WEF).
The annual Global Risks Report for 2019 uses interviews with risk experts, business leaders, academics and others to better understand the challenges facing the world economy.
Rising dependency on technology ensured cyber-related risk remained front-of-mind for respondents, both in the near and long-term.
Some 82% said they expect data and monetary theft attacks to increase in 2019, while 80% said the same for cyber-related disruption to operations and infrastructure.
A slightly smaller number anticipated an increase in fake news (69%), personal identity theft (64%) and loss of privacy to companies (63%).
Over the next decade, respondents placed data fraud/theft and cyber-attacks fourth and fifth in terms of most likely risks, while cyber-attacks and “critical information infrastructure breakdown” were placed seventh and eighth in terms of biggest potential impact.
“There were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyber-attacks,” the report noted. “Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds.”
Veeam’s regional VP for UK & Ireland, Mark Adams, claimed the report highlights the continued need for investment in cyber-threat mitigation.
“Spending time and money on thorough cybersecurity and disaster recovery planning is no longer evidence of being overly paranoid,” he added. “When disaster strikes, whether from a data breach or service outage, having these kinds of measures in place to rely on is what will separate successful businesses from struggling ones.”
However, the findings show a slight change from last year’s report, which listed cyber-attacks as the third most likely global risk.
Millions of sensitive files dating back decades have been exposed after 3TB of data on a storage server was left publicly exposed by the Oklahoma Securities Commission.
Researchers at UpGuard made the discovery on December 7 last year and it was fixed a day later by the commission, part of the state’s Department of Securities which regulates and administers the trading securities sector.
It was first registered as publicly accessible by Shodan a week earlier.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” explained the security vendor.
“The website for the Securities Commission has an UpGuard Cyber Risk score of 171 out of 950, indicating severe risk of breach. Among the issues lowering the website’s score is the use of the web server IIS 6.0, which reached end of life in July 2015, meaning no updates to address any newly discovered vulnerabilities have been released in the last three and a half years.”
The data, which dated back to 1986 and included email back-ups and virtual images, covered a broad sweep of different areas.
These included personal information such as the Social Security numbers of 10,000 brokers, and highly sensitive life insurance information on terminally ill AIDS patients.
Also exposed were system credentials which could allow an attacker to hijack Department of Securities workstations, third-party security filings, and accounts with Thawte, Symantec Protection Suite, Tivoli and others.
The leaked data also included “spreadsheets documenting the timeline for investigations by the FBI and people they interviewed,” potentially putting witnesses at risk.
“We need to stop making it so easy for hackers and bad actors who are simply using tools that have been around for years,” argued Suzanne Spaulding, Nozomi Networks adviser and former DHS under secretary.
“Hackers use a tool called Shodan that allows anyone to scan the internet, looking for devices and computers, connected to the internet, but not protected.”
A leading security researcher has warned of a major trove of breached data being shared on hacking sites, containing over 772 million unique email addresses and more than 21 million unique passwords.
Troy Hunt, owner of the Have I Been Pwned (HIBP) breached credentials site, explained that he was alerted to the collection of 12,000 files hosted on the MEGA cloud service last week.
Although the 87GB dump was subsequently removed, he was also notified of it being shared on a hacking forum under the moniker “Collection #1.”
The total collection amounted to nearly 2.7 billion rows comprised of credentials stolen from thousands of sources in multiple breaches, said Hunt.
After cleaning up the data, he reduced this figure to 772.9 million emails — the largest ever to be loaded into HIBP — and 21.2 million dehashed passwords.
“Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all,” Hunt explained.
“However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches … but have been cracked and converted back to plain text.”
Hunt encouraged users to check whether their emails and passwords are affected, by visiting HIBP. However, they’ll have to search separately for them as the site doesn’t store paired credentials together for security reasons.
The likelihood is the data could be fed into credential stuffing programs to automatically try to unlock accounts over multiple other sites.
Hunt recommended users get a password manager to store long-and-strong unique credentials for each site.
“A password manager is also a rare exception to the rule that adding security means making your life harder,” he said.
A malicious MS Word document, titled “eml_-_PO20180921.doc,” has been found in the wild, and according to researchers at Fortinet's FortiGuard Labs, the document contains auto-executable malicious VBA code.
Victims who receive and open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system.
According to FortiGuard Labs, the NanoCore RAT was developed in the .Net framework back in 2013. Despite its continued use, the author was convicted by the FBI and sentenced to nearly three years in prison. Researchers captured a sample of this latest version (22.214.171.124), which uses NanoCore to execute malicious behavior.
Spreading through phishing campaigns that dupe victims into opening the document, the malware is downloaded from www.wwpdubai.com. Once executed, the VBA code downloads and saves an EXE file from the URL.
“I loaded CUVJN.exe with the .Net debugger dnSpy. Tracing from its main function, we can see that it loads numerous data blocks from its resource section, and then puts them together and decrypts them,” wrote researcher Xiaopeng Zhang.
In order to trace the main functions, researchers loaded CUVJN.exe with the .Net debugger dnSpy and found that it loads, puts together and then decrypts multiple data blocks from its resource section in order to get to a new PE file.
“According to my analysis, the decrypted .Net program is a daemon process. Let’s continue to trace it from its main() function. At first, it creates a Mutex and checks if the process already exists to ensure only one process of this program is running. Next, it checks if Avast is running on the victim’s system by detecting whether the “snxhk.dll” module is loaded or not. If so, it keeps waiting until it has been unloaded. Avast is an AntiVirus software, and “snxhk.dll” is one of its modules,” Zhang wrote.
Unfortunately, .dll is a daemon process, which Zhang said he was not able to kill because it has a “ProtectMe” class, though he does provide steps for removing the malware.
Players who love to indulge in online battle should heed caution when playing Fortnite, according to researchers at Check Point who have disclosed vulnerabilities that could give a malicious actor access to a user’s account and their V-Bucks.
In addition to gaining full access to a user’s account, an attacker who exploited the vulnerability – which has now been fixed – could have eavesdropped on a player’s in-game conversations, potentially also picking up any sounds in the background where the game was being played, researchers said.
According to today’s press release, an attacker could have stolen login credentials by exploiting three flaws found in the web infrastructure of Epic Games, specifically in compromised sub-domains through which the malicious actor could intercept authentication tokens.
The attack, which reportedly could be executed in a single click, would grant an attacker the ability to purchase virtual in-game currency using the victim’s payment card details and then be sold for real money outside the game.
“Researchers were able to demonstrate the token-based authentication process used in conjunction with Single Sign-On (SSO) systems such as Facebook, Google and Xbox” and reported the vulnerability to Epic Games, the press release stated.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” said Oded Vanunu, head of products vulnerability research for Check Point in a press release.
“Together with the vulnerabilities we recently found in the platforms used by drone manufacturer DJI, show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability,” continued Vanunu.
Still, Check Point advised players to remain vigilant and use discretion when sharing information online and cautioned that because of the increasing popularity and success of phishing campaigns, players should keep in mind that there are many dubious and dangerous links that should not be trusted.