Being top choice as an attack vector is likely not a contest any platform wants to win. Unfortunately for Microsoft, Office will not only continue to be the attackers’ vector of choice but will also be the platform for exploiting vulnerabilities, according to a new report from Menlo Security.
After 360 Total Security blogged about “the first APT (Advanced Persistent Threat) campaign that forms its attack with an Office document embedding a newly discovered Internet Explorer 0-day exploit,” Menlo Security researchers sought to understand why attackers were using malicious Office documents for endpoint exploitation.
Malicious Microsoft Office documents attached to emails as an attack delivery mechanism are not new, but the report, Microsoft Office: The New Platform for Exploiting Zero-Days, detailed the latest examples of the growing sophistication of methods being used and highlighted the need for a more foolproof approach to security.
Even while the paper was being drafted, a new zero-day exploit – CVE-2018-5002 – was disclosed, all while two Flash zero-day vulnerabilities continue to be exploited in the wild.
“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage application and operating system vulnerabilities, both old and new,” the report stated.
Researchers did find new attack methods, however. One is the use of embedded, remotely hosted malicious components exploiting app and OS vulnerabilities in Word documents delivering zero-day exploits.
Microsoft Word is the leading cloud office-productivity platform, and it’s popularity is expected to grow. In turn it will, presumably, continue to be the attackers’ vector of choice and the platform most often used to exploit vulnerabilities.
The researchers found that almost all recent zero-day attacks have been delivered via Microsoft Word. “With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer. By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises," according to the report.
"Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits,” the report conlcuded.
More than 3,000 mobile iOS and Android apps have presumably been affected by a new HospitalGown threat variant recently discovered by Appthority. The threat occurs when app developers fail to require authentication to Google Firebase databases, potentially leaving private data exposed.
Researchers first discovered what they call the HospitalGown vulnerability in 2017 after broadening their understanding of enterprise mobile threats by looking at the data leakage through back-end data stores that are unsecured. In a 31 May 2017 post, researchers wrote, “This vulnerability...can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.”
As of the time Appthority reported the vulnerability, the apps affected by the Firebase variant had been downloaded 620 million times for Android devices. Researchers said 62% of enterprises were exposed to the loss of sensitive data through this vulnerability. The vulnerability is reportedly both critical and significant and has likely impacted productivity, health and fitness, communication, cryptocurrency, finance and business apps.
“The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities,” Seth Hardy, Appthority director of security research, said in a 19 June press release.
Because mobile developers are under pressure to release a product, “the rush to market can result in developers and line-of-business owners overlooking rather basic security practices that might prevent this sort of issue. It's not hard to find mobile development talent, but finding a mobile developer with security expertise is rare, and so developers need all the help they can get," said Samuel Bakken, senior product marketing manager, OneSpan.
Given that mobile application security is so critical to enterprise security, “this vulnerability underscores why sectors such as healthcare and finance are increasingly adopting multilayered security strategies and incorporating passive biometrics and behavioral analytics to help ensure that the previously stolen data cannot be used for fraudulent purposes,” said Ryan Wilk, VP of customer success, NuData Security.
The state of Oregon continues efforts to resolve an email issue, with the oregon.gov domain is still preventing communication from state employees.
On 19 June, Oregon Live reported that agency directors across the state of Oregon received a message alerting them to a phishing attack that generated over eight million spam emails from an oregon.gov email address.
“This happened over the weekend and was caught on Monday. Unfortunately, we did not catch it before external mail providers downgraded the Oregon.gov sender reputation score – a score that shows how mailbox providers view your IP address. As a result of this incident, mail from Oregon.gov has been blacklisted by certain providers,” the message said.
Email providers, including Outlook, MSN, Hotmail and Live, have blacklisted emails attempting to come in from Oregon’s state email domain. As a result, mail from any state employee sent to those email domains will not be received.
State employees were reportedly told by Amy Williams, a spokeswoman for the Department of Administrative Services (DAS), that they may have to use an alternate email address. Williams also suggested that members of the public attempting to contact state employees should include phone numbers in their emails.
While Gov. Kate Brown reportedly declined to comment on the status of the cybersecurity posture of the state of Oregon, DAS is working with the Department of Enterprise Technology Services and the Enterprise Technology Office to rectify the situation. The attack on state email addresses serves as a reminder that phishing campaigns are rampant and sophisticated.
“Emails from a well-known and trusted sender are likely to be acted on by a person of that organization. Without the use of specialized email defenses and multifactor authentication, it is not surprising that these types of attacks are growing quickly globally,” said Matthew Gardiner, cybersecurity expert at Mimecast.
“Attackers love to steal users’ email log-in credentials from organizations such as the state of Oregon as this access can be used to quickly pivot the attack to breach other organizations that regularly do business with the state. This technique forms the basis of many supply-chain style attacks.”
As Fortnite fans await its mobile debut on Android, YouTube videos have been detected claiming to contain downloads for the game.
After various tutorial videos were discovered, research by Malwarebytes into the videos found that tutorial apps were not in the Google Play store, but users found links in YouTube’s sponsored adverts which appear legitimate, and feature the Epic Games logo.
Nathan Collier, senior malware intelligence analyst at Malwarebytes, found that upon downloading and opening the app it plays the Fortnite intro song and requests updates to be downloaded, before requesting mobile verification from the user.
“There, it claims to be for the purpose of verifying 'You’r Not A BOT' (bad grammar and all) in order to proceed to Fortnite,” Collier said. “To ‘verify’ the user must complete a task, which involves downloading another ‘free’ app.”
This directs to Google Play, but Collier said no matter how many apps you download, the game never unlocks, because it never existed within the malicious app in the first place.
He said: “The more downloads that come from the website, the more money the malware developers can make. With the app being so simplistic, the amount of development effort is pretty low for the amount that could be potentially gained.”
James Hadley, CEO and founder of Immersive Labs, said: “Fortnite’s popularity, driven by gamers including the England football team, means there is an opportunity for cyber-criminals to take advantage of the demand for the game and the latest releases.
“In life, if something seems too good to be true, it usually is just that; and cyber is no different. Cyber-criminals rely on the draw of a new, exciting or trendy app outweighing the perceived negatives; in this case, getting an early release of Fortnite on Android for downloading another app.”
Javvad Malik, security advocate at AlienVault, said that ongoing user awareness is essential to ensure users are savvy to the risks that can affect them, and defenses to stop such malware making its way into app stores, or running on devices, needs to be continually improved.
Steve Giguere, lead EMEA engineer at Synopsys, added: “There's no shame in being caught out by schemes or scams like these, but we need to learn that where we exhibit human weakness, the cyber-criminal will be present looking to take advantage to turn our nature against us.
“As attacks like these become more common place, awareness will inevitably follow; but until then, ensure you are running a modern endpoint security program and remember that if you think it looks too good to be true, don't take the bait - it's called phishing for a reason.”
The firm carried out a survey of three sample groups – 1000 small business owners, 1000 C-suite execs of large organizations and 1100 consumers/employees to expose security risks currently threatening UK companies.
A key finding was that businesses recognize employee negligence as playing a major or moderate role in data security breaches, but that a significant percentage are failing to take action with robust information security training programs.
Only just over half (55%) of the large organizations surveyed had trained their workers on public Wi-Fi use, whilst almost a third had failed to provide training on spotting fraudulent emails. Smaller businesses faired a lot worse, with just 46% of them offering necessary key training; only 27% had provided public Wi-Fi training and a third offered fraudulent email training.
“It might feel like rough justice for employees to be held to account when training is not comprehensive, but it reflects how difficult this process is, even for businesses with extensive resources,” said Neil Percy, vice-president market development and integration EMEA, Shred-it.
“There may also be an assumption that some elements are common sense, but that potentially belies how easy it is to be duped by skilled phishers and hackers, or even to lose confidential info during the course of a busy day. Mindfulness is key and training helps.”
New research from Centrify has assessed managerial attitudes towards younger employees (18-24-year-olds) and their security, privacy and online behaviors at work.
Released at a press launch event in central London yesterday, Centrify’s survey revealed that, of the 500 senior decision makers polled, more than a third believe the younger generation are the ‘main culprits’ for security breaches, with 37% stating they are too relaxed about security measures, too trusting in new technology (35%) and share data too easily (30%).
However, further investigation by the firm showed that such concerns are not necessarily reflective of real actions of younger employees, and that managerial-level workers are actually failing to ‘lead by example’ when it comes to good security and privacy behaviors themselves.
For example, the biggest worry for decision makers (44%) was that next-gen workers would misuse technology; clicking on suspicious links or removing company information via a USB stick/personal email. In fact, of the 1000 18-24-year-olds surveyed, only one in 10 admitted to clicking on a suspicious link, with just 7% removing information from the company. Conversely, Centrify pointed out that twice as many managers had clicked on suspicious links compared to younger workers, and twice as many had removed information from the company.
Likewise, 38% of decision makers worried about younger workers using corporate devices for personal use, when in fact more of them admitted to playing games on work devices (18%) than next-gen employees (15%), and one in eight used them to gamble online compared to one in 20 younger employees.
Perhaps most poignantly, although 48% of managers felt concerned about how younger employees’ social media activity might affect the organization and compromise security, just 40% of 18-24-year-olds said their company provides clear guidance around social media usage.
What’s more, according to younger workers, only 40% of employers enforce a regular password change despite 56% of managers worried about password sharing, whilst 36% said they are able to access any/all files within their business network without restriction despite concerns around the taking of company information from the workplace.
“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as older workers, but we must remember they are the business leaders of tomorrow and we must help not hinder them,” said Barry Scott, CTO EMEA, Centrify.
“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies. If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself.”
In an attempt to steal sensitive data, cyber-criminals have been targeting financial firms by building hidden tunnels in order to break into networks. According to a report released today by Vectra, these attack behaviors are the same as those that led to the 2017 Equifax breach.
According to a new report, 2018 Spotlight Report on Financial Services, attackers are able to gain remote access through the use of command-and-control (C&C). In the data analyzed, attackers had established nearly 30 web shells accessible from approximately 35 different public IP addresses, which allowed them to exfiltrate data while going undetected.
Attackers often leverage hidden tunnels to infiltrate networks with strong access controls because legitimate applications also use hidden tunnels to bypass security controls that can sometimes compromise full functionality. That's why it's a successful attack method.
"Every industry has a profile of network and user behaviors that relate to specific business models, applications and users," said Chris Morales, head of security analytics at Vectra. "Attackers will mimic and blend in with these behaviors, making them difficult to expose."
In this latest discovery, Vectra detected more hidden C&C tunnels and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined.
To evade firewalls, attackers use special tunneling tools to move laterally, stockpiling data from database after database as they go. They were able to amass so much data that it then needed to be divided into smaller stockpiles so that no alarm bells went off during exfiltration.
"All this points to one painful fact: The largest enterprise organizations in the world remain lucrative targets for sophisticated cyber-attackers. Security breaches across multiple industries forge ahead in an upward trajectory, and the financial services industry is no exception," the report said.
A cyber-espionage group infiltrated satellite, telecom and defense companies in the US and Southeast Asia, and evidence suggests that the campaign's objective was espionage. Identified by Symantec and announced on 19 June, the campaign originated from machines based in mainland China, according to researchers.
Thus far, the analysis suggests that the defense, telecom and satellite sectors – more specifically, the geospatial sector – have been targeted. In the geospatial sector, the group targeted computers running MapXtreme GIS (geographic information system) software, used to develop custom geospatial applications and to integrate location-based data. Not surprisingly, machines running Google Earth Server and Garmin imaging software were also targeted.
“The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence,” said Greg Clark, Symantec CEO, said in a press release. "They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat."
Because attackers are moving laterally in order to infect satellite monitoring and controlling devices within a satellite communications operator, the threat has the potential to be very disruptive. In a 19 June blog post, Fortinet said this component of the threat suggests that the group likely wanted to gather intelligence, exfiltrate data and disable the satellites.
“Thrip exemplifies the growing urgency for being able to quickly and reliably detect lateral movement across the network,” said Anthony Giandomenico, senior security researcher, Fortinet FortiGuard Labs. However, defending against an advanced threat such as Thrip requires a number of critical security strategies to be in place.
Attackers rarely find what they are looking for in their first compromised device, which is why they then move laterally in search of the systems they need to accomplish their goal. Moving through the systems also allows them to "establish a stronger foothold to increase the difficulty of properly removing the malware from the network," Giandomenico said.
“Detecting an initial compromise can be very difficult, even with sophisticated security measures in place, as it usually happens very fast and often uses advanced evasion techniques to disguise the attack," Giandomenico continued. "This sort of countermeasure requires keeping up with the latest techniques adversaries are using while being proactive in finding and addressing existing network blind spots and control gaps.”
In today’s interconnected world, it’s more likely that politics and social unrest the world over could have significant impact on today’s digital business. That’s according to Flahspoint’s Business Risk Intelligence Decision Report, which took a midyear look at the methods, motives and moves of nation-state actors.
“The relatively quiet first six months of 2018 could turn on a dime as midterm elections loom, tense relations in the Middle East persist, the U.S. leaves the Joint Comprehensive Plan of Action (JCPOA), sanctions against Iran tighten, and numerous other dramatic geopolitical developments continue to arise,” the report stated.
The report analyzed trends and indicators in threat actor reactions to, and prioritization of, activities with regards to global events and dynamics. From that analysis, Flashpoint developed a six-tiered capability and potential impact scale, with the sixth tier potentially having what the company defined as a catastrophic impact.
Results of the analysis rank China and Russia at a Tier 6 – the greatest threat – across most verticals, with the exception of retail. Though state-sponsored cyber activity coming from Russia has been quiet thus far this year, “the apparent lack of cohesion between Europe and the US in dealing with Russian offensive cyber tactics may server to embolden Russia to continue expanding its cyber operations,” according to the report.
Activity from state-sponsored actors in China remained potent threats to private companies and government institutions. China has continued its internal crackdown on anonymity while increasing scrutiny of online activities and foreign corporate interests. In addition, The National Cybersecurity Law has driven cyber-criminals to either cooperate with authorities or move farther to the fringes in tools and techniques.
Also rated as potentially having a catastrophic impact is the intelligence-sharing arrangement between several Anglophone countries known as the Five Eyes. The report defines the Five Eyes as the group that “collectively represents the pinnacle of cyber capabilities related to cyber espionage and destructive or disruptive attacks."
"Yet they are not traditionally considered threat actors to Western entities," the report states, "because their activities are generally undertaken in support of national security objectives rather than for commercial or economic gain.”
An inept cyber-criminal has been given a 20-month sentence behind bars after DDoS-ing the networks of a Wisconsin city, temporarily taking out its 911 center.
Randall Charles Tucker, 23, of Apache Junction, Arizona carried out the attacks on the City of Madison in 2015 as part of a wider DDoS campaign against various cities, according to the Department of Justice.
“In addition to disabling the City of Madison’s website, the attack crippled the city’s internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit to a medical, fire, or other emergency,” the noticed read.
It’s unclear what his motivation was in launching the attack, although it came just days after a fatal shooting by a Madison police officer.
Tucker’s other exploits saw him DDoS the municipal computer systems in Phoenix suburbs Chandler and Mesa and user-generated video portal News2Share, the latter in a bid to persuade it to feature one of his videos.
These charges were reportedly dropped as part of the plea deal.
Tucker boasted of his crimes on social media, dubbing himself the “Bitcoin Baron,” and has also reportedly taken part in hacktivist campaigns like Anonymous #OpSeaWorld.
However, his attempts to portray himself as a moral crusader failed miserably. In one incident in 2015 he apparently DDoS-ed the city and police websites of San Marcos in Texas — demanding a local policeman who had assaulted a female college student be jailed and fired. That cop had already been sent to prison two years previously.
Tucker also launched an attack on a children’s hospital, reportedly defacing it with child pornography, which if true somewhat undermined his hacktivist credentials.
Alongside the jail sentence, Tucker was ordered by the court to pay restitution of over $69,000 to the victims of his attacks.
The notorious Olympic Destroyer malware which disrupted the last Winter Games has resurfaced, targeting several countries in Europe as well as Russia and Ukraine, according to Kaspersky Lab.
The Russian AV company warned that the latest activity could spell the start of new destructive malware campaigns from the group behind the threat.
“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again,” the firm explained.
“However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.”
Phishing emails were used to infiltrate and map out target networks ahead of a destructive campaign which disrupted the Pyeongchang Olympics earlier this year, leading the firm to speculate that this new activity could lead to similar.
It warned all biochemical-threat prevention and research organizations in Europe to bolster their defenses and run unscheduled security audits.
It’s not clear what the link between these new targets is, with the group behind it considered “a master in the use of false flags.” However, Kaspersky Lab claimed the TTPs and operational security techniques used by the group “bear a certain resemblance” to Sofacy/Fancy Bear/APT28, the notorious Kremlin hacking outfit that disrupted the 2016 US presidential election.
“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cyber-theft and another group or groups looking for espionage targets,” the vendor concluded.
“This could also be a result of cyber-attack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”
South Korean exchange Bithumb has been targeted by hackers for the second time in a year, this time losing over $31m in cryptocurrency.
A notice from the firm, one of the world’s largest digital currency exchanges, claimed that the attack began last night and was discovered this morning, with around 35bn won ($31.5m) taken.
The firm has halted deposits and withdrawals “for the time being” while it conducts a thorough review into what happened.
It claimed that all lost funds will be covered by Bithumb from its own reserve and that remaining assets were removed to a secure cold wallet.
Currencies affected are thought to include Ripple.
Bithumb is thought to be the sixth largest exchange in the world based on its trading volume of over $370m.
However, this isn’t the first time it has been a target for cyber-attackers.
Back in July 2017, hackers stole personal details on 30,000 customers after compromising an employee’s laptop. The resulting phishing campaign tricked them into handing over authentication codes which resulted in large scale theft from customer accounts.
The attacks continue to come thick-and-fast against digital currency exchanges. Bithumb rival Coinrail was targeted by hackers earlier this month in a raid which cost it $37m, around 30% of its total token/coin reserves. In December 2017, Slovenian cryptocurrency marketplace NiceHash was hit by a cyber-attack which led to losses of $64m.
The news will continue to serve as a warning to investors of the risks involved in putting money into the nascent cryptocurrency market.
North Korean hackers have been pegged in the past for spear-phishing attacks against cryptocurrency exchanges and illegal cryptomining, as they look to generate much needed funds for the Kim Jong-un regime.
IEEE member and professor of cybersecurity at Ulster University, Kevin Curran, argued that attacks on crypto-currency organizations have increased as the value of the currency has rocketed in recent years.
“If they do find your crypto-currency wallet or hack online crypto exchanges and transfer the coins — then it is basically gone forever. It is not that we cannot see which ‘wallet’ these ‘coins’ have been transferred into but rather that the stolen tokens can be transformed into ‘fresh’ tokens by using ‘mixing services’, which create new untraceable tokens,” he explained.
“Ultimately, remember that the European Banking Authority and others have warned that Bitcoin users are not protected by refund rights or chargebacks.”
A Chicago Public Schools (CPS) employee will be removed from their position after accidentally sending a mass email that included a link to a confidential spreadsheet on Friday evening, 15 June. The email exposed the private data of 3,700 students and families, according to the Chicago Tribune. The link, which wasn’t removed until Saturday morning, revealed students’ names, email addresses, phone numbers and student ID numbers.
Affected families were notified via the following email:
EMAIL TO FAMILIES: 7/15/2018
Earlier today, in an unacceptable breach of both student information and your trust, we mistakenly included your private student and family information in an email to you and more than 3700 other families who were invited to submit supplemental applications to selective enrollment schools.
We sincerely apologize for this unintended disclosure and ask that you please delete the information in question.
We are taking this matter very seriously, and a review of this incident is underway to determine how this breach occurred and ensure a similar matter does not occur again. Additionally, we will be removing the responsible employee from their position because violating your privacy is unacceptable to the district.
If you would like to speak with someone regarding this matter, please contact 773-553-2060.
CPS Office of Access and Enrollment
While the error will cost the employee their job, there is a greater question of liability as the employee was able to access a file stored on Blackboard that contained sensitive information without any required login.
CPS reportedly had initially believed that the file was an attachment, and it asked parents to delete the file. “So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard,” according to DataBreaches.net.
In an email to Infosecurity Magazine, CPS wrote, “To ensure no one else is able to pull down the improperly disclosed information, CPS had the sensitive file pulled from the network so that no one could retrieve it again. We also asked anyone who downloaded the data to remove it from their system."
"To help ensure an improper disclosure of this nature does not occur again, we immediately put in place additional technical restrictions regarding personnel who can send messages of this nature," CPS continued. "Moving forward, we are exploring additional technical safeguards that would help prevent data of this nature from being disclosed."
The potential damages a company can suffer from malicious insiders became a harsh reality for Tesla CEO Elon Musk, who expressed his disappointment at learning he had a saboteur within the Tesla ranks. The individual who allegedly engaged in damaging sabotage against Tesla was reportedly an employee disgruntled over not getting a promotion.
According to a report from CNBC, Musk sent an email to Tesla employees late Sunday revealing that a Tesla worker had engaged in “quite extensive and damaging sabotage” against the company. CNBC posted what it said was a copy of the email in which Musk said the sabotage included the use of false usernames to make changes to the code used in the Tesla Manufacturing Operation System, as well as “exporting large amounts of highly sensitive Tesla data to unknown third parties.”
As Musk noted, when an employee engages in such illicit activity, it is usually an act of revenge. "His stated motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move."
"This is a major reminder as to why privileged access management is a must-have for organizations that deal with sensitive information or personal information and why least privileged is a practice being adopted by many organizations,” said Joseph Carson, chief security scientist at Thycotic.
However, in a recent Raytheon-commissioned survey of IT security professionals, insider threats ranked low on the CISOs' priority lists, with only 36% saying they consider malicious or criminal insiders to be a high risk.
"Taking things at face value, this [act of sabotage] is basically a smorgasbord of cybercrime, and it could have affected any company anywhere. You have an insider threat. You have altered data affecting the factory operating system. You have leaked proprietary data. You have credential theft. And you have it all, apparently, at the hands of a disgruntled employee. It’s time to make insider threat a top priority," said Michael Daly, CTO, cybersecurity at Raytheon.
The reality that employees can act without regard for the best interest of the company will likely be a major lesson for Tesla, but it's not its only struggle right now. It also confronts ongoing issues in its electric vehicle plant. Less than 24 hours after alerting employees to the sabotage, Musk shared news of another fire in its factory, which happened during the evening of Sunday, 17 June.
One of the consequences of constant connectivity is that the connected devices people use are vulnerable to attacks, which can expose not only personal but also location data, as a researcher from cybersecurity firm Tripwire recently discovered.
A new attack against popular home devices Google Home and Chromecast revealed a privacy issue: The devices can be used to find out where people live.
In an 18 June post, researcher Craig Young detailed how he used a technique called DNS rebinding to achieve code execution, allowing him to pinpoint precise locations of Google Home and Chromecast devices just by getting their users to open a website.
DNS rebinding uses a web browser to find devices on a user's network, a revelation that even surprised Young when he found not only that this attack is possible but also that Google was aware of the problem and had done nothing.
“It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication,” Young said.
The discovery presents both a privacy and a safety issue for users that browse the web from the same Wi-Fi as a Google Home or Chromecast because it opens up the possibility of cyber-stalking. A website’s operator can learn a user’s location, which makes it possible for a predator to physically stalk a victim in the real world.
Moreover, Young believes it's important for users of these kinds of devices to understand the broader implications and risks of this new attack, as there is the "possibility of more effective blackmail or extortion campaigns. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”
As a method of mitigating exposure, Young said he has at least three distinct networks in his home at any given time so that if he is surfing the web on his main network, “a rogue website or app would not be able to find or connect to my devices. When using Chromecast, I need to then either switch networks temporarily or else use the sometimes glitchy ‘Guest Mode.’”
New research from Positive Technologies has discovered that almost half (48%) of web applications are vulnerable to unauthorized access, with 44% placing users’ personal data at risk of theft.
What’s more, 70% of the apps Positive Technologies tested proved susceptible to leaks of critical information, whilst attacks on users are possible in 96% of them.
In fact, every app the firm assessed contained vulnerabilities of some sort, with 17% having vulnerabilities that would allow an attacker to take full control over the app.
The majority of detected vulnerabilities (65%) were a result of errors in application development – such as coding errors – with incorrect configuration of web servers accounting for a third of them.
However, the research did discover the percentage of web apps with critical vulnerabilities (52%) had declined for the second year in a row, down from 58% the previous year.
“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Positive Technologies analyst Leigh-Anne Galloway. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”
Speaking to Infosecurity Eoin Keary, founder and CEO, edgescan, agreed that steps need to be taken to improve application layer security.
“DevSecOps needs to be embraced such that security is throughout the development pipeline,” he said. “Application component security management (software components used by developers) is still not common place in terms of supporting frameworks and software components and is a common source of vulnerability.”
A US woman has pleaded guilty to using data stolen in the notorious 2015 OPM breach to secure fraudulent loans.
Karvia Cross, 39, of Bowie, Maryland, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft and could theoretically face anything from two to 30 years behind bars.
She is said to have helped mastermind a wide-ranging fraud campaign, using OPM breach victims’ stolen identities to obtain personal and vehicle loans from Langley Federal Credit Union (LFCU).
“LFCU disbursed loan proceeds via checks and transfers into the checking and savings accounts opened through these fraudulent applications,” the Department of Justice explained. “Vehicle loan proceeds were disbursed by checks made payable to individuals posing as vehicle sellers, while personal loan proceeds were disbursed to LFCU accounts opened in connection with the fraudulent loan applications and transferred to accounts of others.”
Cross and others then withdrew the fraudulently obtained funds, the DoJ said.
Co-defendant Marlon McKnight pleaded guilty to the same charges on June 11.
The revelations are interesting as up until now the US government has blamed China for the devastating attack on the Office of Personnel Management. Some 22.1 million current and former US officials and their friends and family were caught in the breach, which included information on security clearance “background investigations” for military and intelligence roles.
That led many to speculate that foreign agents had co-ordinated the hack to obtain information which could be used to blackmail, coerce and intimidate US personnel and potentially even recruit spies.
It’s somewhat unusual therefore that the same data found its way presumably onto the cybercrime underground where fraudsters like Cross could access it, although there’s no official confirmation of this.
The breach itself was said to have been made possible after hackers stole credentials from a government contractor, something that could have been avoided with stronger security processes and implementation of multi-factor authentication.
Attacks on critical infrastructure (CNI) represent the biggest cybersecurity threat facing the UK, according to MPs.
NCC Group polled a representative sample of 100 MPs from all main political parties and found 62% believed compromise of key sectors including transport and utilities to be the biggest risk to the country.
Although all parties agreed on this, they were divided in their views on other threats.
Over two-fifths (42%) of Conservatives claimed a compromise of nuclear capabilities to be one of the top two threats, versus just 14% of Labour MPs. On the other hand, 44% of Labour MPs considered democratic interference to be a major threat, compared to only 16% of Conservative MPs.
On a positive note, MPs do seem to appreciate the consequences of poor cybersecurity. Three-quarters (75%) claimed to be concerned that a breach of their personal email could negatively affect the cybersecurity of the House of Commons, while 73% said that their constituents’ privacy would be the biggest concern emanating from such a threat.
NCC Group’s global CTO, Ollie Whitehouse, welcomed the seemingly high levels of awareness of cyber-issues among MPs.
“In recent years, the government has been proactive in implementing initiatives to strengthen the UK’s stance against evolving technical and geopolitical threats which attempt to compromise the integrity of our nation,” he added. “MPs play a significant role in these initiatives, so it’s important to maintain continued education around modern threats and informed dialogue amongst all stakeholders. This will ensure that parliamentary staff at all levels understand the steps they need to take, in both their professional and personal lives, in order to address cyber-risk head on.”
However, in a keynote speech at Infosecurity Europe earlier this month, parliamentarian and dotcom pioneer Martha Lane Fox argued that politicians are dangerously ignorant when it comes to understanding technology.
“We need to upskill our legislators dramatically if we’re going to cope with the challenges of the coming years,” she said. “We are very far away from having policymakers equipped to deal with the scale of the challenge.”
Security researchers have discovered seven vulnerabilities in nearly 400 models of IP camera from a well-known manufacturer, some of which could be exploited to remotely control the devices.
The team at security vendor VDOO made the discovery as part of wider research into a range of leading IoT products from a broad sweep of manufacturers.
It claimed to have responsibly disclosed the flaws to Axis Communications, which has since released new firmware to address the bugs in 390 models of its internet-connected surveillance cameras.
The vulnerabilities in question are: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664.
VDOO claimed that by chaining three of these together, attackers could access the camera login page remotely via the network without needing to authenticate.
With full control over the devices they could access or freeze the video stream, move the lens or turn motion detection off, conscript the device into a botnet for DDoS, Bitcoin mining and other ends and even use it as a beachhead into the main network.
“To the best of our knowledge, these vulnerabilities were not exploited in the field, and therefore, did not lead to any concrete privacy violation or security threat to Axis’s customers,” the firm concluded.
“We strongly recommend Axis customers who did not update their camera’s firmware to do so immediately or mitigate the risks in alternative ways.”
VDOO also released some guidance for IP camera device manufacturers, claiming to have uncovered plenty of “bad architectural practice.” This includes privilege separation for processes, input sanitization, minimum use of shell scripts and binary firmware encryption.
This isn’t the first time Axis Communications has been singled out for attention by security researchers.
In July last year, IT security firm Senrio revealed Devil’s Ivy, a major flaw in the widely used gSOAP web services toolkit which made its way into potentially tens of millions of devices, including those produced by Axis.
Adware is easy money for cyber-criminals who install malware in advertisements. Researchers have discovered a new piece of malware dubbed Zacinlo that specializes in advertising fraud. According to Bitdefender, Zacinlo uses several platforms to pull advertising from, including Google AdSense.
Adware has long been used to augment the earnings of software developers who deliver free applications to consumers. It’s been a winning strategy for app developers whose products have landed in the hands of users around the globe, but the unspoken contract of "no financial strings attached" has been governed by the third-party advertisers. Advertisers absorbing the product’s cost in exchange for customer data is what gave rise to adware.
In a white paper released today, Bitdefender wrote that “adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.”
Zacinlo, spyware that has been running since early 2012, infects a user's PC and performs one of two tasks: it either opens invisible browser instances to load advertising banners and then simulates clicks from the user, or it changes ads loaded naturally inside the browser with the attacker’s ads in order to collect advertising revenue.
An interesting feature on this adware is that it includes a rootkit driver that protects itself, as well as its other components. Extremely rare and difficult to remove, rootkit-based malware is usually found in less than 1% of threats.
"Threats like Zacinlo clearly demonstrate that crime does pay. Advertising abuse has been known to happen for years, but Zacinlo takes this to a whole new level. The complexity and longevity, as well as the multitude of samples, shows that the team that operates it manages to defraud significant amounts of money from publishers and advertisers," said Bogdan "Bob" Botezatu, senior e-threat analyst from Bitdefender.
“Since the rootkit component attempts to subvert both the operating system and the security solutions running on top of it, I would highly recommend that – from time to time – users run a full security sweep," Botezatu said.