An unprotected ElasticSearch server led to a potentially massive data leak for a popular avatar app maker, Boomoji. The app, which is based in China and has 5.3 million users across the globe, allows iOS and Android users to create 3D avatars.
The personal data of its entire user base was exposed after Boomoji reportedly left two ElasticSearch databases unprotected without a password, according to TechCrunch.
According to Anurag Kahol, CTO, Bitglass, “There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries.”
A database serving international users was based in the US, and another, which serves Chinese users, was based in Hong Kong in order to comply with China’s data security laws. The databases reportedly contained the usernames, gender, country, phone type, unique Boomoji ID, users’ schools, the geolocation for 375,000 users and the phone book entry of every user that allowed the app to access their contacts.
Because the app also allows access to contact data, in addition to the data for 5.3 million users, contact information of an additional 125 million people who may not even know the app exists could have been compromised as well. Even if you did not use the app, if someone you know does and has your phone number stored on their device, the app more than likely uploaded your contact information onto Boomoji’s database.
“This exposure demonstrates how most enterprises – even hyper-scale providers – do not have adequate visibility into their entire infrastructure and assets to detect vulnerabilities and security gaps,” said Jonathan Bensen, acting CISO and director of product management, Balbix.
“Unsecured databases with no password protection is a simple enough problem to fix, if the companies are continuously monitoring all assets in order quickly identify and remediate priority issues.”
Law enforcement agencies across the country spent the better part of yesterday evening investigating a slew of bomb threats delivered by email to businesses and universities across the US and Canada. The hoax email warning that an explosive device was in the recipient’s place of work evoked fear among many Americans yesterday, according to KrebsonSecurity.
Different variations of the email were distributed with subject lines that read “Think Twice” or “--SPAM--My device is inside your building,” as seen in the image below. The emails demand payment in Bitcoin to have the bomb removed.
"We are aware of the recent bomb threats made in cities around the country, and we remain in touch with our law enforcement partners to provide assistance," an FBI statement read. "As always, we encourage the public to remain vigilant and to promptly report suspicious activities which could represent a threat to public safety."
In addition, the New York Police Department Counterterrorism Bureau asserted that the threats are not considered credible. Law enforcement agencies from Raleigh to Chicago and dozens of other cities also responded to threats, none of which have been substantiated.
“All it takes is one successful payout to make this scheme worthwhile for the perpetrator. This is a high-risk extortion attempt because there's no doubt it would garner significant attention from law enforcement,” said Tim Erlin, VP, product management and strategy at Tripwire.
“At this point, it's unclear if there's an additional motive beyond extortion. It is clear, however, that disruption has been a consequence. There will be an in-depth investigation into who is behind this campaign, and it's likely they'll be identified.”
The ease with which an attacker can craft such a large-scale disruption has ignited concern. “While these Bitcoin demands seem over the top, the disruption can cost millions in police time alone, and the potential for this to escalate with copycats is always alarming,” said Atiq Raza, CEO of Virsec. “As new extortion ideas get out there, the potential for serious, targeted attacks on high-value cyber-targets will only increases."
Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, said that the incident should serve as a reminder to all organizations that they must conduct regular training of their employees as to the different types of threats.
"As with any trend, there is the genuine product, and there are copycats. What we have seen here would be the latter. However, given the availability of hacker tools for hire and personal data for low prices, it will become harder to separate the two. The bad guys continue to look for any vulnerabilities they can find in one’s security controls. This is just another example, with the hope that a small percentage of the targets will act on the email.”
The Federal Election Committee (FEC) has voted that lawmakers are allowed to use leftover campaign funds to guard personal email accounts and devices from cyber threats.
In a proposed draft of its advisory opinion, the FEC responded to Sen. Ron Wyden’s question: “May a United States Senator use campaign funds to pay for the costs of cybersecurity measures to protect his personal electronic devices and accounts?”
The FEC responded, “Yes.”
“The Commission concludes that you may use campaign funds to pay for the costs of security measures to protect your personal devices and accounts without such payments constituting an impermissible conversion of campaign funds to personal use, under the Act and Commission regulations,” the FEC wrote.
In submitting his request to the FEC, Sen. Wyden acknowledged that he had not experienced any personal threats thus far, but he argued that the cyber threats elected officials face include "attacks by sophisticated state-sponsored hackers and intelligence agencies against personal devices and accounts."
In the advisory opinion, the FEC acknowledged that both Dan Coats, director of National Intelligence, and Michael Rogers, former director of the National Security Agency (NSA), agreed that the personal accounts of lawmakers are at risk of cyber-attacks.
“It’s become increasingly clear in recent years that foreign attackers view institutions that underpin democracy as high-value targets. From election equipment to the elected representatives themselves, malicious actors will systematically look for access,” said Ben Johnson, co-founder and CTO, Obsidian Security.
“The ruling by the FEC allowing leftover campaign funds to purchase additional cybersecurity detection and protection has kept the conversation about election protection going. We need to ask whether cybersecurity should have to rely on unpredictable leftover funds or if it should be a key component to candidates’ campaign machinery. Personal devices and personal accounts are coupled with corporate and government security,." said Johnson.
"That trend is only going to increase. A stronger approach to personal cybersecurity hygiene can help provide a critical extra layer of defense against attackers looking to influence or access US government systems. Put simply: anything that makes our personal identities safer will benefit our professional identities."
Unpatched security vulnerabilities remain the biggest threat to UK retailers as they increase spending to mitigate risk during the busy Christmas shopping period, according to Infoblox.
The security vendor polled 3000 consumers and retail IT professionals across Europe and the US to better understand their attitudes to data security during December.
In the UK, the largest number of IT pros (28%) claimed unpatched flaws were the main source of attacks, followed by consumer or end-user error (25%), supply chain vulnerabilities (22%) and unprotected IoT devices (21%).
Given these risks, it’s no surprise that 63% of UK retailers have increased spending on cybersecurity during the busy period.
Although it was unclear in which areas they’re spending, a rise in social engineering attacks is seen as a major threat (34%). It would therefore appear that phishing attempts aimed at both consumers and retail employees is high on the list of concerns.
However, ID fraud (16%) and data security (13%) are far less important for UK consumers than delivery (55%). That might explain why a fifth of them take no proactive measures to protect their data — higher than in any other country surveyed.
Despite this apparent complacency, consumers are far from convinced that the stores they shop in are capable of keeping their personal data secure. Just one third (34%) said they trust retailers to hold their data.
“It’s interesting to read that so few consumers around the world are actively concerned with the protection of their own data when shopping online, particularly when two thirds of those we surveyed had little trust in how retailers held that data,” said Infoblox technical director for Western Europe, Gary Cox.
“More education is clearly required of the risks that online shoppers face, especially over Christmas, and the steps they can take to better protect their own data and identity from those intent on theft and fraud.”
According to the British Retail Consortium’s 2016 Retail Crime Survey, 53% of all fraud in the industry comes from cyber, amounting to estimated losses of £100 million.
A convicted cyber-criminal once dubbed “the acid house king” has been sentenced to 20 months behind bars for a new fraud campaign which saw him use a bizarre home-made device.
Tony Muldowney-Colston, aka Tony Colston-Hayter, of Brighton, pleaded guilty to nine counts of possession of an article for use in fraud and two counts of making or supplying an article for use in fraud.
Metropolitan Police officers had launched an investigation into his activities in January, before obtaining a search warrant for an address linked to the fraudster in June.
While searching the property they found a hard drive containing passport and identity card data, 32 credit cards, and a spreadsheet containing names, addresses, e-mail addresses and phone numbers linked to a private members’ club in central London.
More surprisingly, police found a strange home-made contraption which Muldowney-Colston apparently used to distort his voice whilst on the phone to banks in an attempt to impersonate legitimate customers.
The machine reportedly also played pre-recorded bank messages to trick victims.
These unconventional methods enabled him to access funds of over £500,000 from the accounts he was able to pry open.
“The scam carried out by Muldowney–Colston affected hundreds of people across the UK, and had the potential to affect many more. He is an audacious criminal who only recently was released from prison for carrying out very similar offences,” said detective inspector Philip McInerney, from the Met’s Cyber Crime Unit (MPCCU).
“He shows no concern for the welfare of any individual or organization, and has made it clear he will use a range of methods to achieve significant financial gain for himself. I am very grateful to our partners in the banking industry who have worked closely with us on this and a number of investigations.”
Muldowney-Colston was jailed in 2014 for over five years for masterminding a cyber-attack on computers at branches of Barclays and Santander that netted the gang £1.3m.
Prior to that he shot to fame by popularizing rave culture in the 1980s, something that earned him the nickname of the acid house king.
The Information Commissioner’s Office (ICO) has fined a London-based company £200,000 for sending millions of nuisance texts to unsuspecting consumers.
Tax Return Limited sent a staggering 14.8 million text messages between July 2016 and October 2017 without gaining proper consent first.
The firm claimed in its defense that consent had been given through third-party websites, but the ICO ruled that these privacy policies were too vague and generic. What’s more, neither Tax Return nor the third party service provider it used for its campaign were listed on the policies.
“Spam texts are a real nuisance to people across the country and this firm’s failure to follow the rules drove over 2,100 people to complain,” claimed ICO director of investigations, Steve Eckersley.
“Firms using third-party marketing services need to double-check whether they have valid consent from people to send promotional text messages to them. Generic third-party consent is also not enough and companies will be fined if they break the law.”
The ICO has the power to fine firms up to £500,000 for breaking the Privacy and Electronic Communications Regulations (PECR): the regime which governs marketing calls, emails, texts and faxes.
Tax Return is just one of many firms to have been fined large sums by the regulator over the past few years.
Last month the ICO fined ACT Response of Middlesbrough £140,000 for sending 496,455 marketing calls to subscribers of the Telephone Preference Service (TPS) who had signed up specifically to avoid nuisance calls. Secure Home Systems (SHS) of Bilston, West Midlands, was fined £80,000 for making calls to 84,347 TPS-registered numbers.
Campaigners have called on the government to come good on its promise to directly fine directors of companies which breach the PECR. A current loophole means many seek bankruptcy to escape punishment, only to go on to set up new businesses.
The payment information of more than 47,000 patients was potentially compromised after the Baylor Scott & White Medical Center in Frisco, Texas, suffered a third-party data breach, according to the hospital’s notice of a data security incident.
The hospital disclosed that it had sent letters to more than 47,000 patients and guarantors, alerting them to the possibility that their payment information, which could include partial credit card information, might have been compromised. “Medical-related data breaches are lucrative because malicious actors can try to sell data to advertisers based on health conditions,” said Justin Jett, director of audit and compliance for Plixer.
The disclosure notice states: “On September 29, 2018, the hospital discovered an issue with a third-party vendor’s credit card processing system. The hospital immediately notified the vendor and terminated credit card processing through them. An investigation determined the inappropriate computer intrusion occurred between September 22-29, 2018. There is no indication the information has been further disclosed or misused by any other unauthorized individuals or entities.”
While the hospital’s information and clinical systems were not impacted and no medical information was compromised, the data that might have been accessed includes names, address and date of birth, as well as medical record numbers and the dates of service. Insurance provider information and account numbers, along with the last four digits of the credit card, account balances and invoice numbers, could also be among the information compromised in the data breach.
“The Baylor Scott and White Medical Center-Frisco felt firsthand the effects of a third-party breach, as they were forced to notify over 47,000 patients that their payment information had been exposed,” said Fred Kneip, CEO, CyberGRX. “We are at a pivotal point in the evolution of cyber-attacks, where organizations are called to move beyond previous, static approaches to third-party cyber-risk management that are unable to scale with our growing ecosystems. As a result, the industry must foster collaboration across the board, where organizations work with their third parties to mitigate risk before they become a target for attackers.”
Earlier this week, the New York Times published its findings from an investigation into the location data that is tracked by mobile apps and used to help advertisers. The investigation revealed was that more than 75 companies “receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information.”
Despite the claim that the data is anonymous, the Times concluded that the information collected is quite precise, revealing the user’s location with surprising accuracy. The data is used by advertisers who then market ads to users based on their locations.
“It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year. IBM has gotten into the industry, with its purchase of the Weather Channel’s apps. The social network Foursquare remade itself as a location marketing company. Prominent investors in location start-ups include Goldman Sachs and Peter Thiel, the PayPal co-founder,” according to the Times.
While these revelations might be shocking, these often unauthorized harvesting activities have been going on for years and seem only to be escalating in frequency and the granularity of that information, according to Chris Olson, CEO of The Media Trust.
Still, the tables could slowly be turning as consumers begin to understand how to better protect their privacy. “Consumers are only slowly waking up to how much information on their every move is being gathered, analyzed and sold by legitimate entities and bad actors alike," Olson said.
In addition, new laws on consumer data privacy like GDPR and California’s Consumer Privacy Act are being proposed. Combined with the recently proposed US federal consumer data privacy bill, these efforts “are shining much needed light on these unrestrained practices and their perpetrators."
“Just as GDPR is forcing companies across all industries and around the world to change how they operate, so too will the rest. And there will likely be a cumulative effect once regulations that are sweeping across the world begin to penalize violators. Although some laws set limits on the size of companies they cover, consumers will likely expect all companies, regardless of size or the number of consumers they track, to align their processes with the laws. This would also mean that companies of all sizes will have to carefully map and monitor all the third parties they do business with for any data processing that might violate their digital policy,” said Olson.
What happens when you combine a remotely controlled banking Trojan with an abuse of Android Accessibility services? According to new research from ESET, you get an Android Trojan that steals money from PayPal accounts, even with 2FA on.
The malware reportedly disguises itself as a battery optimization tool, and threat actors distribute it via third-party apps. “After being launched, the malicious app terminates without offering any functionality and hides its icon. From then on, its functionality can be broken down into two main parts,” researchers wrote.
In a video recording, researchers demonstrated an attempt to steal money from a PayPal account after the user had logged into the app. While the researchers were analyzing the malware, the PayPal app attempted to send €1,000, which failed when the app requested that the user link a new card due to insufficient funds.
The malware also attempted to steal login credentials and used phishing screens in overlay attacks on Google Play, WhatsApp, Skype, Viber and Gmail. “The malware’s code contains strings claiming the victim’s phone has been locked for displaying child pornography and can be unlocked by sending an email to a specified address. Such claims are reminiscent of early mobile ransomware attacks, where the victims were scared into believing their devices were locked due to reputed police sanctions,” researchers wrote.
According to Will LaSala, director of security solutions, security evangelist, OneSpan, the attack against the PayPal app highlights the vulnerabilities of installing apps from unknown sources and demonstrates how easily an overlay attack can hijack a strong application.
“What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device. What’s new for this malware is that it is not focused on phishing for the users credentials, although it appears to attempt to phish for the user’s credit card information, instead it attempts to directly attack the transaction by creating an instant money transfer to the attacker’s account.”
The Chinese government is responsible for the massive breach recently disclosed by Marriott International, according to new reports.
Two people briefed on the ongoing investigation told the New York Times that the attackers are suspected of working for China’s sprawling Ministry of State Security (MSS).
The hack, it is claimed, was part of a major intelligence gathering operation that also included the notorious breach of the Office of Personnel Management (OPM). Its aim is to build up detailed profiles on US executives and government officials with security clearance.
With the passport information stolen as part of the trove, Chinese spies could theoretically keep tabs on the movements of such individuals more easily. Marriott is said to be a favorite hotel provider for US government and military personnel.
Combined with the information from the OPM, it’s thought that the hotel data could help the MSS identify possible US spies and even recruit their own agents, as well as the Chinese citizens that may have been helping them.
The revelations are likely to cause extra turbulence for the Sino-US trade deal currently being hammered out and the 90-day ‘truce’ agreed by the two presidents in Buenos Aires.
It also presages a new swathe of action from Washington designed to open the kimono on Chinese cyber-espionage activity.
It’s predicted we’ll see a fresh round of indictments of Chinese military and intelligence operatives, and possibly the declassificiation of an US intelligence report detailing Beijing’s concerted attempts to build a huge data lake of American citizens’ information.
The indictments are thought to be linked to “Cloud Hopper” (APT10), a group that has spent years targeting the managed service providers of large companies.
An official with knowledge of the plans said they could also include making it harder for Chinese telecoms firms to get hold of key components. Any such move would likely enrage Beijing and only accelerate its cyber-espionage-fuelled efforts to become self-sufficient in tech.
Sam Curry, CSO at Cybereason, argued that Washington is rapidly changing its stance on China.
“The appropriate response is one that is on the political, diplomatic, economic, and military domains where cyber is a factor and not the only star,” he added. “Cyber is both a domain in its own right and a component of all the others. So the administration needs to plan a response to the political situation, using cyber as a tool."
Over 40,000 credentials for accounts on government portals around the world have been leaked online, and are most likely up for sale on the dark web.
Russian security firm Group-IB said usernames and cleartext passwords were available for various local and national government entities across more than 30 countries.
It’s not clear exactly how they were discovered, although the firm claims readily available keyloggers and info-stealing malware enabled the hackers responsible to harvest the info over time. It’s thought they may be part of an even bigger trove of sensitive data which has been refined for sale.
Hundreds of accounts on the websites of the US Senate, the Internal Revenue Service, the Department of Homeland Security and NASA were among those affected, according to Bloomberg.
Also hit were portals of the Israel Defense Forces, the Italian defense and foreign ministries, and Norway’s Directorate of Immigration, as well as government sites in France, Poland, Romania, Switzerland and Georgia.
Over half (52%) of victims were in Italy, followed by Saudi Arabia (22%).
Attacks in the US reportedly took place in the past year while other countries have been targeted since June 2017.
Group-IB has informed the authorities in the relevant countries, aware of the potentially serious national security implications of the leak.
Andrea Carcano, co-founder of Nozomi Networks, claimed the attackers likely used phishing attacks to spread the info-stealing malware.
“It is therefore extremely important that government organizations dedicate time and resources into training employees not to click on links, attachments and fraudulent emails that are professionally manufactured to target specific individuals,” he added.
“While it is unclear how much data the compromised login details will provide attackers, the governments affected should still try to do everything possible to limit their access. The first step would be to update login and password information for employees affected.”
The identity numbers of 120 million Brazilians have been found publicly exposed on the internet after yet another IT misconfiguration.
The data relates to Cadastro de Pessoas Físicas (CPFs): ID numbers issued by Brazil’s central bank to all citizens and tax-paying residents. The size of the leak represents data on over half the population of South America’s biggest country.
Researchers at InfoArmor’s Advanced Threat Intelligence Team found the database exposed on an Apache web server in March, after a simple internet search.
“Upon closer examination of the server that was discovered by InfoArmor’s researchers, it was found that someone had renamed the ‘index.html’ to ‘index.html_bkp,’ revealing the directory’s contents to the world. Anyone who knew the filename or navigated to it would have unfettered access to all the folders and files within,” its report explained.
“Two simple security measures could have prevented this: not renaming the main index.html file or prohibiting access through .htaccess configuration. Neither of these basic cybersecurity measures were in place.”
Only weeks later, after the firm unsuccessfully tried to contact the SQL host, did the issue get fixed.
“What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated alibabaconsultas.com domain that redirected to its login panel,” it explained.
“Although InfoArmor cannot be sure that alibabaconsultas.com was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function.”
The security firm warned that “it is safe to assume” either a nation state or cybercrime group now has the leaked information.
Ilia Kolochenko, CEO of High-Tech Bridge, said a thorough investigation is required by the Brazilian government.
“The major question here is how did this highly sensitive and confidential data go online on a third-party server in a flagrant violation of all possible security, compliance and privacy fundamentals? Who else has access to this data and its copies?” he argued.
The vast majority of white hat hackers who reported that they were looking for jobs in cybersecurity said that their bug hunting experience helped them land a job, according to Bugcrowd’s 2018 Inside the Mind of a Hacker report.
The report looked at the community of white hat hackers to better understand the skill sets and career aspirations of more than 750 security researchers and found that 41% of white hat hackers are self-taught. In addition, 80% of bug hunters said that their experience in bug hunting has helped them get a job in cybersecurity.
"Bug bounties have impacted my life by teaching me skills that I didn't know from doing traditional pentesting," said Phillip Wylie, a top-performing security researcher for Bugcrowd based out of Texas in today's press release. "I really enjoy being involved in the security and hacking community and I now teach ethical hacking at a community college. It's important to share knowledge in our community so we can push ourselves to be better."
“Cybersecurity isn’t a technology problem, it’s a people problem – and in the white hat hacker community there’s an army of allies waiting and ready to join the fight,” said Casey Ellis, founder and CTO at Bugcrowd in the release.
“Bug hunting is a perfect entry point for would-be infosecurity professionals to gain real-world experience, as well as for seasoned professionals to hone their skills and supplement their income. With cybercrime expected to more than triple over the next five years, bug hunting addresses the dire need for security skills at scale.”
A career in bug-hunting can be quite lucrative, with the research showing that the average total payouts for the top 50 hackers totaled around $150K, with the average submission payout coming in at $783. While hackers are finding and submitting plenty of bugs, 15% of hackers have the ambition of being a top security engineer at tech giants like Google and Facebook, yet only 6% have the desire to someday be a CISO.
Some hackers (24%) only spend an average of 6–10 hours a week bug hunting, which could be a function of the fact that more than half of the white hat hacker community are hunting bugs on top of their regular 9–5 positions.
The report also highlighted the continued gender imbalance that plagues the industry, with women representing a mere 4% of the global hacking community.
Email phishing continues to be the most common method of attack, and according to new research from Comodo Cybersecurity Microsoft, PayPal and Google are the top three brands most targeted by phishing.
In its Global Threat Report 2018 Q3, researchers in Comodo’s threat research lab found that phishing represents one of every 100 emails received by enterprises, with 19% of those attacks targeting Microsoft, followed by 17% targeting PayPal and 9.7% going after Google.
According to the report, 63% of the emails a business receives are clean, while 24% are spam, and only 1.3% of business emails are phishing attempts. Of those, there were three subject lines that were used with great frequency.
In 40% of the phishing emails examined, the subject line was related to PayPal and read, “Your account will be locked.” Another 10% of phishing emails targeted FedEx and read “Info,” while the third-most popular headline, “August Azure Newsletter,” appeared in 8% of the phishing emails and targeted Microsoft.
While malicious attachments remain the top method of infection, phishing URLs are also gaining popularity and represent 40% of the total phishing emails analyzed. In one example, researchers discovered an email claiming to be a survey of that Azure newsletter. The message contained what appeared to be an authentic URL and Microsoft logo, which made it very difficult for users to determine whether it was legitimate. If users clicked on the link, they were delivered to a malware-laden web page, where they were covertly infected.
The report also found that there was a surge in malware deployment in advance of major national elections across the globe, as well as correlations of malware detection both prior to and immediately following geopolitical crises.
“These correlations clearly stand out in the data, beyond the realm of coincidence,” said VP of Comodo's cybersecurity threat research labs Fatih Orhan. “It is inescapable that state-actors today employ malware and other cyber-threats as both extensions of soft power and outright military weapons, as do their lesser-resourced adversaries in asymmetric response.”
In a campaign that has lasted at least three years, financially motivated attackers have been targeting Rosneft, a state-owned Russian oil company, according to new threat intelligence published by Cylance.
In its Threat Intelligence Bulletin, researchers discovered that ordinary criminals – not state-sponsored actors – were behind the attacks on the predominantly Moscow-owned company. Anticipating that researchers would assume that the campaign was a nation-state attack on the critical infrastructure of a company that holds enormous political influence in Russia, these cyber-criminals were well camouflaged, making attribution all the more challenging.
Upon investigating the command-and-control (C&C) domains used by the malware authors, researchers learned that “the threat actor had created similar sites to mimic more than two dozen mostly state-owned oil, gas, chemical, agricultural, and other critical infrastructure organizations, in addition to major Russian financial exchanges,” according to the research.
The attackers used Microsoft Office macros to deliver malicious implants to their targets throughout their extensive phishing campaign. Through analyzing several samples of the malware, researchers discovered a backdoor, programmed in Delphi, that shared IP address and hostname information in its communication over HTTP with two C&C servers.
“The backdoor had the ability to upload and download files, manipulate files and folders, compress and decompress files using ZLIB, enumerate drive information and host information, elevate privileges, capture screenshots and webcam pictures, block and/or simulate user input, log keystrokes, and manipulate processes on the infected system,” the bulletin said.
“Business email compromises like the one seen in this attack are, according to the FBI, big business – costing victims $12 bn globally in 2018 alone,” said Kevin Livelli, director of threat intelligence at Cylance.
“Organizations outside the specific target set of this attack should be alert to the fact that the techniques and targeting we normally associate with state or state-sponsored espionage efforts are also being used by ordinary criminals (even lone actors) motivated by financial gain. Targeted attacks come in all flavors – including crime – and defenders should be vigilant to this fact and resist jumping to conclusions when they see activity that might otherwise scream 'APT.'”
Security researchers have discovered a major targeted attack campaign aimed at stealing info from scores of mainly English-speaking organizations around the world and using source code from the infamous Lazarus Group.
What McAfee has dubbed “Operation Sharpshooter” targets government, defence, nuclear, energy and financial organizations, mainly in the US but also the UK, Canada, Australia, New Zealand, Russia, India and elsewhere.
Some 87 organizations have so far been found to be infected with the Rising Sun implant, a modular backdoor which allows the attackers to perform reconnaissance by accessing sensitive information including documents, usernames, network configuration and system settings.
Although not previously seen, the implant draws on source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer, used in the notorious attack on Sony Pictures Entertainment. However, McAfee is not attributing the campaign to North Korea — in fact, the “numerous technical links” to the group raise the possibility that this is a false flag, it claimed.
The initial attack vector is fairly standard: a weaponized macro-based document which, when opened, runs an in-memory implant to download and retrieve the second-stage Rising Sun malware.
Any data of interest is encrypted and sent back to the C&C server. It’s unclear whether the operation will stop at reconnaissance or if this is just the first stage in a multi-layered sophisticated campaign.
“Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors,” argued McAfee chief scientist and fellow, Raj Samani.
“However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated. Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”
The coming year will see a mix of old and new as phishing is supercharged with AI but reported vulnerabilities continue to cause organizations problems, according to Trend Micro.
The security giant claimed in its predictions report this week that phishing will continue to grow in popularity as exploit kits fade. The number of detections of the latter has fallen from over 14.4 million in 2015 to just 261,000 today, while blocked phishing URL volumes have jumped from 8.1 million to over 210 million over the same time period.
However, attackers will be looking to make phishing even harder to detect, via new tactics such as using AI to monitor executives’ online behavior, and AI-enabled chatbots to lure users into clicking on malicious links.
Another social engineering-based attack set to hit the mainstream in 2019 is SIM-swap fraud, according to the vendor.
However, despite some relatively new tools and techniques breaking onto the scene, it is the tried-and-tested options that remain a major threat over the coming year.
These include exploitation of known vulnerabilities: 99.99% of exploit-based attacks will involve vulnerabilities for which patches have been available for weeks or even months but have not been applied, predicted Trend Micro.
Many of these will be found in OT systems like SCADA human machine interfaces, as well as newer systems like Kubernetes and other cloud software.
Hackers will also respond to the increasing use of AI by the white hats to try and stay hidden by “living off the land,” according to principal security architect, Bharat Mistry.
“By repurposing standard computing objects for reasons other than their intended purposes — such as unconventional file extensions or online storage services — the threat actor’s arsenal will evolve significantly, and enable them to intelligently camouflage within the corporate network,” he explained.
“In 2019, as cyber-criminals look to infiltrate sites under the radar, it’s imperative that enterprises implement comprehensive security solutions that are able to spot disguised profiling attempts.”
There’ll be plenty for system administrators to do right up to the end of the year with Microsoft’s latest patch update round featuring fixes for nine critical vulnerabilities including one zero-day bug.
The 39 flaws reported by the computing giant on Tuesday paled in comparison to the 87 posted by Adobe and represent a relatively light load, but there are important caveats.
The main one is CVE-2018-8611, an elevation-of-privilege (EoP) bug that affects all supported operating systems from Windows 7 to Server 2019, enabling an attacker to run arbitrary code in kernel mode.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system,” explained Microsoft.
“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Another one to note is CVE-2018-8517, a publicly disclosed flaw which could allow a DoS attack in .NET web apps.
“The vulnerability can be exploited remotely without authentication by issuing a specially crafted request to the vulnerable application,” explained Ivanti’s Chris Goettl.
“The vulnerability is rated as important likely due to complexity to exploit, but it has been publicly disclosed, meaning enough information has been revealed to the public to give a threat actor a head start on creating an exploit to take advantage of the vulnerability.”
Allan Liska, senior solutions architect at Recorded Future, also pointed to a critical heap overflow vulnerability in Microsoft’s DNS Server (CVE-2018-8626), and several critical flaws in the Microsoft Edge Chakra Core scripting engine.
“This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017,” he explained.
This month’s Chakra memory corruption vulnerabilities (CVE-2018-8583 and CVE-2018-8629) would allow an attacker to execute arbitrary code on the victim’s machine.
Experts also urged firms to apply Adobe’s patches, especially those for CVE-2018-15982 and CVE-2018-15983, two critical Adobe Flash zero-day vulnerabilities being actively exploited in the wild.
Amplification bots spread both information and misinformation across Twitter's social network through retweets, and according to new research from Duo Security, these bots not only affect how content spreads but also how the information is perceived.
Published today, Anatomy of Twitter Bots: Amplification Bots, Jordan Wright and Olabode Anise detail the characteristics that make up amplification bots based on a data set of 576 million tweets. The researchers also looked at how to build a crawler that can map out entire botnets of this kind.
The research is the culmination of a three-part series that began at Black Hat 2018 with "Don’t @ Me: Hunting Twitter Bots at Scale" and was followed by a more detailed explanation of how fake followers operate.
The focus in this final part of the series is on automated retweeting. Because retweeting is what boosts an account's popularity, amplification bots are concerning from an information security perspective. “Automated retweeting of a tweet [is considered] to be more damaging to social network conversation, since it actively spreads content as opposed to just artificially boosting the content’s popularity,” the authors wrote.
Determining which accounts are bots and which are authentic took a bit of work, though. In essence, researchers had to distinguish different patterns of likes and retweets from a wide sampling of accounts.
“We found that an average account’s timeline is composed 37.6 percent of retweets while the 90th percentile was composed of 75 percent of retweets. Because our dataset of tweets does include accounts that exhibit bot-like characteristics, it’s important to note that the the overall distribution of retweets in an account’s timeline may be affected by their behavior.”
Research suggested a key factor that distinguishes bots from actual user accounts is found in the timeline, with actual users tending to retweet in consecutive order while the activity of bots is more scattered. After determining normal behaviors, researchers set out to find bots as seen in the image below:
Credit: Duo Security
“The account’s most recent (re)tweet has 969 retweets and 164 likes, which is strange. Most tweets with that many retweets won’t have a retweet-to-like ratio of almost 6:1. To put some numbers to how rare this is, only 0.2 percent of tweets in our dataset had more than at least 900 retweets and a similar retweet-to-like-ratio,” researchers wrote.
Finding one bot then opened the door for the discover of many more amplification bots, which have the potential to sully the credibility of retweets, though determining legitimate information from misinformation is a challenge.
The US House of Representatives Committee on Oversight and Government Reform released its report on the Equifax breach. It found that the lack of modernized security controls combined with dozens of expired certificates created vulnerable systems and resulted in the data breach of 143 million records.
The cyberattack that started on May 13, 2017, lasted for 76 days, during which time malicious actors were able to access and exfiltrate unencrypted personally identifiable information hundreds of times, according to the report.
The breach resulted in CEO Richard Smith announcing his retirement on September 26, 2017, a little over a month after he had delivered a speech at the University of Georgia in which he explained that the company manages massive amounts of very unique data.
Smith stated: “We have data on approaching 100 million companies around the world. The data assets are so large, so unique it is...credit data, it is financial data – we have something like $20 trillion of wealth data on individuals, so how many annuities, mutual funds, equities you own. About $20 trillion on property data, so property that you might own – what the value was when you bought it, what it’s worth today. Utility data, marketing data, I could go on and on and on – but massive amounts of data.”
According to the committee’s findings, “Equifax should have addressed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax’s IT management structure existed, leading to an execution gap between IT policy development and operation.”
“This also restricted the company’s implementation of other security initiatives in a comprehensive and timely manner. As an example, Equifax had allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains.”
In addition, building critical IT applications on custom-built legacy systems added to the complexity of Equifax’s systems, which was addressed too late to prevent the breach. The report noted that Equifax understood that operating legacy IT systems posed inherent security risks, as was evidenced by the company’s action to modernized its infrastructure – steps that should have been taken much sooner.
The committee concluded that “Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.”