Info Security

Subscribe to Info Security  feed
Updated: 2 hours 19 min ago

Major Takedown of Site Selling Cyberattacks

Wed, 04/25/2018 - 15:22
Major Takedown of Site Selling Cyberattacks

Administrators of the world's largest DDoS-as-a-service website were only yesterday reaping the rewards of their illicit enterprise. Today, they are under arrest thanks to the cooperative effort of international law enforcement agencies.

Eruopol reported the success of Operation Power Off, an investigation led by the Dutch police in combination with the UK's National Crime Agency and a dozen other law enforcement agencies from around the world. As of today, the site has been shut down and its infrastructure has been seized.

DDoS attacks are widely disruptive as they knock services offline. As of April 2018, had 136,000 registered users who successfully orchestrated four million attacks targeting financial and government agencies. Last year, the site was used to launch a series of attacks on UK high street banks – causing hundreds of thousands of pounds of damage.

When once it was sophisticated hackers who were conducting these attacks, the widespread availability and very inexpensive access to these as-a-service attacks allows anyone to purchase and launch an attack that can paralyze the internet. 

“The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as the web of profit continues to gain momentum," said Gregory Webb, CEO, Bromium.

Recently released academic research, Into the Web of Profit, commissioned by Bromium and carried out by Dr. Mike McGuire, senior lecturer in criminality at Surrey University, found that Crimeware-as-a-Service earns cybercriminals $1.6bn per year, with DDoS-attack hires generating $13m of revenue per year. There are an average of six-and-a-half million DDoS attacks per year. 

"It’s a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimizing millions of users in a moment from anywhere in the world. We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks," said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).

Though some individuals may only see their involvement as playing around with low-level fringe cybercrime, DDoS attacks are illegal, and perpetrators who conduct the attacks can be charged a hefty fine, receive a prison sentence, or be penalized with a combination of both.

Categories: Cyber Risk News

Keep Hackers Locked out of Hotel Rooms

Wed, 04/25/2018 - 13:36
Keep Hackers Locked out of Hotel Rooms

It’s rare to check into any hotel today and be handed an actual door key. Global hotel chains and hotels worldwide have transitioned from the lock and keys of old to an electronic system so that guests need only swipe a card in front of the door. But researchers at F-Secure Cyber Security Services have discovered that room keys can be hacked, allowing nefarious actors entrance into any room in the building.

Using an ordinary electronic key – whether it was tossed in the garbage or long expired – researchers exploited a flaw in the Vision software from VingCard (now ASSA ABLOY). Hotels worldwide rely on VingCard's electronic lock system software to secure millions of hotel rooms, yet the researchers were able to create a master key that allowed them to open any room they wished.

"We could not believe our eyes when the lock finally opened with a master key we had created (from a regular room key). On paper, the system looked pretty solid. It was the combination of minor issues that allowed us to create a practical attack against the system,” said Tomi Tuominen, practice leader at F-Secure.

The choice to target a brand known for its quality and security was intentional, but it was not an overnight success. It took several thousand hours to gain an in-depth understanding of the system's design and identify inconspicuous security flaws. The researchers persisted through considerable amounts of trial and error intent on finding a way to bypass the electronic lock without leaving a trace.

"Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys,” said Timo Hirvonen, senior security consultant at F-Secure.

Once they succeeded, they disclosed the vulnerability to ASSA ABLOY, the lock manufacturer, and worked with them over the course of the past year to implement software fixes that have been made available to the affected properties.

In a statement released by F-Secure, Tuominen credited the ASSA ABLOY R&D team for their willingness to address the reported issues.

Categories: Cyber Risk News

GDPR Too Close, Half of Global Companies Not Ready

Wed, 04/25/2018 - 13:03
GDPR Too Close, Half of Global Companies Not Ready

With only one month remaining before the EU's General Data Protection Regulation (GDPR) goes into effect, many organizations are still scrambling to be in compliance. That could result in hefty fines and legal consequences for the majority of the 448 institutions surveyed by KPMG Global Legal Services. More than half (54%) reported that they are not in compliance.

According to the senior legal counsels who participated in the survey, one of the Achilles' heels for compliance preparedness is third-party vendors. Even the commercial suppliers of those companies that collect data from customers protected by the regulations need to be GDPR compliant, yet the survey found that an overwhelming majority of businesses have not confirmed whether their down-line vendors are adhering to the regulations.

"Surprisingly, many businesses haven’t looked at their supply chain as a potential risk for GDPR compliance. This is particularly challenging for global organizations, with thousands of suppliers, and could be costly if not addressed with the appropriate rigor needed under the GDPR," said Juerg Birri, KPMG's global head of legal services.

An additional obstacle that many organizations face is that many boards do not understand or take seriously the full impact of these new regulations. Of the businesses that reported having board-level support, 69% have appointed a data protection officer, 55% document all of their data processing activities, and nearly half (49%) feel their employees are mostly or fully aware of their obligations under GDPR.

Other recent surveys report similar findings. Technology industry association CompTIA recently conducted a survey of 400 US companies on their GDPR readiness and found that only 22% of firms have started developing their compliance plans. “Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.

According to a CompTIA press release, "About one-third of the firms surveyed do not believe GDPR will have an impact on their current or future approach to business in the EU. Another third indicate GDPR may negatively impact their desire to engage in business activities in countries governed by GDPR. The remaining one-third of firms are unsure."

Only 13% of those companies surveyed by CompTIA reported being fully compliant with GDPR. 

Categories: Cyber Risk News

US Child Identity Fraud Victims Lost $2.6bn Last Year

Wed, 04/25/2018 - 10:00
US Child Identity Fraud Victims Lost $2.6bn Last Year

Over one million US children fell victim to identity fraud last year, resulting in losses of $2.6bn, according to a new study from Javelin Strategy & Research.

The research firm polled 5000 adults who live in a household with a dependant child or have done so in the past six years.

It found the impact on children of data breaches can be more severe than for adults: 39% of child breach victims were then defrauded, versus 19% of notified adults.

Two-thirds of child fraud victims are under eight, and it’s thought that because they have limited financial records on file, children offer fraudsters a great opportunity to open new fake accounts in their name. However, because few kids have plastic, card fraud is rare.

Thus, while adults are targeted for the value of their account, children are targeted for the value of their identity.

This has proven to be a goldmine for the fraudsters, who can on average steal $2303 from their victims — more than twice the mean fraud amount for adult fraud victims. The impact is even greater because while adult victims usually get their money back, the families of child ID fraud victims paid on average $541.

Interestingly, 60% of child ID fraud victims know the fraudster, versus just 7% of adult victims. Javelin claimed that many of these scammers abuse the legitimate access they have to the personal information of their victims.

The report also claimed that children who are bullied online are more than nine-times more likely to be victims of fraud than those who are not bullied.

“In many cases, fraud and bullying are not perpetrated by the same individual but arise from the same underlying vulnerabilities,” said Al Pascual, senior vice-president at Javelin. “Children who are unprepared to protect themselves from online risks are likely to encounter individuals who wish to target them emotionally or financially. Bullied children also may be more vulnerable to fraud as they are taken advantage of when they seek friendship online.”

The report urged parents to monitor their children’s bank accounts, pay attention to breach notifications and train their kids to be more savvy about protecting their identity.

Categories: Cyber Risk News

Altaba Fined $35m for Yahoo Breach Notification Failings

Wed, 04/25/2018 - 09:22
Altaba Fined $35m for Yahoo Breach Notification Failings

The company formerly known as Yahoo has agreed to pay a $35m penalty to the Securities and Exchange Commission after failing to notify the market promptly about a breach of hundreds of millions of accounts.

The December 2014 breach of around 500 million accounts resulted in usernames, email addresses, encrypted passwords, birthdates, phone numbers and security questions ending up in the hands of alleged Russian state hackers.

Last year, the Department of Justice charged four Russians: FSB officers Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, and two cyber-criminals they are said to have conspired with, Alexsey Belan and Karim Baratov.

The latter has pleaded guilty and is currently awaiting sentencing, although the others are thought to be at large.

The SEC claimed that Yahoo’s senior management and legal department knew “within days” of the intrusion that hackers had stolen the crown jewels but failed to investigate properly or consider whether investors needed to know.

In fact, the firm failed to notify over several quarterly and annual reports, saying only in its SEC filings that it faced the risk of breaches.

This meant that the incident was only disclosed when Verizon came to buy the company in 2016.

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said SEC regional office director, Jina Choi. “Public companies should have controls and procedures in place to properly evaluate cyber-incidents and disclose material information to investors.”

The breach is separate to the 2013 incident which the firm admitted last year hit all three billion accounts.

Although Verizon subsequently received a major $350m discount on the original agreed price for Yahoo, it is still picking up the pieces financially of the company’s past mistakes, with ongoing lawsuits pending.

However, this fine will be owed not by Verizon but the new Yahoo holding company known as Altaba.

Categories: Cyber Risk News

Ukrainian Energy Ministry Site Downed in Drupal Ransomware Attack

Wed, 04/25/2018 - 08:50
Ukrainian Energy Ministry Site Downed in Drupal Ransomware Attack

Unpatched CMS software installations appear to have been targeted by ransomware attackers over the past few days, taking down the Ukrainian energy ministry among others.

The widely reported attack on the ministry site is said to have been an isolated incident in that it didn’t affect any other parts of the Ukrainian government.

Although attacks in the past have been blamed on Moscow, there are signs that this raid was the work of cyber-criminals.

For one, the attack did not target the country’s critical infrastructure, unlike previous threats which have caused power outages for hundreds of thousands in December 2015 and 2016.

The ransomware message was also written in English and demanded just 0.1 Bitcoin ($927). The payment address used previously appears only to have received around £100.

Security researcher Kevin Beaumont named it as Vevolocker, a variant around since mid-2017.

“Somebody posted the source code online which is causing more people using it,” he tweeted.

However, AlienVault security researcher Chris Doman claimed the compromised site also includes the contact details and “tag-sign” of the hacker.

“What has probably happened here is that a hacktivist has hacked the site for fun, then the criminal ransomware attacker has used their backdoor to try and make some money,” he argued.

Other experts suggested the attacks were automated and targeted a critical vulnerability in the Drupal CMS software which was patched a month ago.

“While many people might be quick to cast blame on Russia for this incident, I believe this was probably not the case. Looking over the internet archive of this site, it appears that they were running Drupal 7 which is currently under active attack by automated attackers armed with Drupalgeddon2 exploits,” explained Tripwire researcher Craig Young.

“Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix.”

He said the incident underscores the need for organizations to patch promptly and ensure they maintain up-to-date back-ups of their content.

Categories: Cyber Risk News

Isolated, Air-Gapped Cypto-Wallets Hacked

Tue, 04/24/2018 - 13:28
Isolated, Air-Gapped Cypto-Wallets Hacked

He who holds the private keys owns all of the bitcoins. For those who manage their cryptocurrency in offline, or "cold," wallets under the premise that they cannot be compromised, recent news from researcher Dr. Mordechai Guri from Ben-Gurion University of the Negev, Israel, raises some alarms. Guri demonstrated that cold wallets can be infected with malicious code, allowing an attacker to access the wallet’s private keys.

Because cold wallets are presumably safer than storing their keys in "hot," or online, wallets, many cryptocurreny owners keep their bitcoin wallets isolated in air-gapped PCs so that they are away from the internet and not connected to any network, Wi-Fi or Bluetooth.

In addition to publishing a white paper, Guri also demonstrated the attack method’s effectiveness using malware called bridgeware, which successfully leaks the bitcoin private key over air gap via ultrasonic signals in only 3 seconds.

BeatCoin: Leaking bitcoin private key from air-gapped wallet

The discovery isn’t new, nor is it the first time a hacking technique was used to compromise an isolated machine. Rather, Guri’s experiment showed that private cryptocurrency keys can be stolen using out-of-band communication methods.  

Malware can be preinstalled, delivered during the initial installation of the wallet, or pushed through a removable media. Once the malware is installed, there are a variety of exfiltration methods an attacker can use, and Guri evaluated several, including physical, electromagnetic, electric, magnetic, acoustic, optical and thermal.   

“This research shows that although cold wallets provide a high degree of isolation, it’s not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin’s private keys) can be exfiltrated from an offline, air-gapped wallet … within a matter of seconds,” Guri noted.

The PC and keyboard are removed in the second video to demonstrate an additional exfiltration method – a technique known as a RadIoT attack. In about 15 seconds, Guri successfully transmits private keys from a Raspberry Pi to a nearby smartphone over air gap by way of electromagnetic signals. 

BeatCoin2: Leaking bitcoin's private keys from air-gapped wallets

"I think that the interesting issue is that the airgap attacks that were thought to be exotic issues for high-end attacks may become more widespread," Guri wrote in an email to Ars Technica. "While airgap covert channels might be considered somewhat slow for other types of information, they are very relevant for such brief amounts of information. I want to show the security of 'cold wallet' is not hermetic given the existing air-gap covert channels."

Categories: Cyber Risk News

Improved Security Standards for Electric Grids

Tue, 04/24/2018 - 11:21
Improved Security Standards for Electric Grids

In an effort to address the growing threat of cyber-attacks to the national power grid, the Federal Energy Regulatory Commission (FERC) approved revised reliability standards for cybersecurity management controls.

The Critical Infrastructure Protection standards, developed by the North American Electric Reliability Corporation (NERC), were first proposed in October 2017. As threats to critical infrastructure increase, the government moves to improve its ability to respond to cybersecurity attacks. 

The revised Critical Infrastructure Protection (CIP-003-07) requires responsible entities to have a policy for declaring and responding to CIP exceptional circumstances and clarifies electronic access control for low-impact BES Cyber Systems.

An exceptional circumstance, as defined in the NERC glossary, is "a situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or bulk electric system reliability: a risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability." 

Recognizing the need to mitigate the risk a cybersecurity incident resulting from malicious code delivered through external devices such as laptops or USBs, the standards commission directed NERC "to conduct a study to assess the implementation of Reliability Standard CIP-003-7 to determine whether the electronic access controls adopted by responsible entities provide adequate security."

The findings of NERC's study must be submitted within 18 months of the revised standards effective date.

"Because most electric utilities were likely planning to implement electronic and physical access controls for low-impact BES Cyber Systems by September 1, 2018, FERC’s recent rule should provide them with more clarity about exactly what sort of electronic access needs to be protected," said Daniel Skees, partner, Morgan Lewis. 

“Low-impact” facilities are far more numerous than high- and medium-impact facilities and include the oldest technology in a utility’s infrastructure. According to Skees, "The biggest challenge will be in identifying which facilities need to be compliant and mapping all of the electronic access into and out of those facilities so that appropriate electronic access controls can be applied."

Only after that analysis and cataloging process is complete can utilities implement the new controls. 

In practice, the revised standards will present some challenges. Employees operating largely independently will be required to follow these processes correctly, often without supervision, said Skees. "Failures can be subject to significant fines, but any process requiring human controls is almost inherently going to have occasional failures."

The revised standards also include changes to the NERC glossary that either retire or clarify terms and aid to avoid ambiguity and simplify the electronic access control requirements. 

Categories: Cyber Risk News

Facebook Cybersecurity University Graduates US Veterans

Tue, 04/24/2018 - 11:07
Facebook Cybersecurity University Graduates US Veterans

Though it’s not quite graduation season, 33 US military veterans celebrated the completion of their 12-week course and became the first class to graduate from Facebook Cybersecurity University for Veterans on Saturday, April 21.

Narrowing the cybersecurity skills gap demands that organizations get a little creative about how they train and recruit. That’s why Facebook partnered with and more than 200 students and professors across nine universities and colleges.

While Facebook tries to regain user trust, it is training veterans across every military branch to become defenders of the digital world. The 33 participants, all of whom had to have some background in IT or computer science, embarked on a cyber boot camp of sorts.

Over the course of the 12 weeks, the program focused on delivering the fundamentals of web application security. The veterans applied that foundational knowledge to gain a better understanding of offensive and defensive skills through a hands-on approach.

“They learned the basics of cybersecurity and common vulnerabilities and attacks, and they received hands-on practice in both exploitation techniques and strategies for protecting and hardening applications,” Facebook Security wrote in a post.

They met in Menlo Park, California, where they partook in a variety of sessions and labs as they reviewed broader security topics through videos and projects. Open source competitions allowed Facebook to bring the students closer to the real-world experiences of cyber-risk and -defense.

Facebook Cybersecurity University

One of the few women in the program, Courtney Kivernagel, told KQED that the program revealed a grit and tenacity she didn't know she had, not even after six years in the Air Force. “This was harder than basic training in some aspects, just because some of the problems they threw out at you. [They were like,] 'Into the deep end, here you go,'” Kivernagel said.

The graduation celebration comes at an optimal time for Facebook and the industry at large. The commitment to hiring thousands of new security professionals is a challenge for enterprises around the globe, particularly when only 137 schools in the US offer information security courses.

Providing these types of nontraditional learning opportunities opens the door for a more varied workforce to enter into the cybersecurity field. The social network has the ability to tap into a wider pool of candidates, and veterans are ideal candidates to fill the pipelines.

“We’re really proud of how this program shaped up, and even more so of the veterans who committed to improving their expertise. The security industry needs to be more reflective of the people we aim to protect, and we want to help improve the number of security professionals working to help defend people online,” said Stephanie Siteman, information security program manager at Facebook.

Students, veterans or professors who wants to learn more about the opportunities Facebook is offering for education and diversity in cybersecurity can send an email to

Categories: Cyber Risk News

Experts: Switch Off Wi-Fi and Ditch Paperless Voting Machines

Tue, 04/24/2018 - 10:32
Experts: Switch Off Wi-Fi and Ditch Paperless Voting Machines

A bipartisan group of former state election specialists, intelligence officials and voting experts have urged local state officials to ditch paperless voting machines as part of a $380m security overhaul.

The funds were released by Congress to help states upgrade their election systems in the wake of Russian cyber-attacks ahead of the 2016 presidential election.

The Department of Homeland Security (DHS) claimed last year that a total of 21 state systems were targeted by Kremlin hackers ahead of the election. Although actual compromises were confined to a small number of states, there are fears that the hackers will use the intelligence they gained to potentially cause greater disruption next time around.

Now a group of experts has signed an open letter to state election officers urging them to follow best practices in replacing paperless voting machines with systems that count a paper ballot. This would crucially preserve a record of the vote itself in case any suspicions are raised.

They also recommended the prohibition of any wireless connectivity on voting machines to limit risk exposure, and that election websites, voter registration systems and election night reporting systems are “defended against threats of intrusion and manipulation.”

The experts also suggested “robust post-election audits in federal elections” by checking a small sample of paper ballots, and argued that officials should be trained in how to incorporate security into election processes.

The group comprises big hitters such as former DHS secretary, Michael Chertoff; former NSA and CIA boss Michael Hayden; former US ambassador to NATO, Douglas Lute; cryptography expert Bruce Schneier; former deputy US CTO, Nicole Wong; and many more.

The recommendations chime roughly with those of the Senate Select Committee on Intelligence, announced last month, and best practice advice from the National Institute of Standards and Technology (NIST), as well as other leading experts.

Categories: Cyber Risk News

Security Fears as TSB Customers Able to Access Other Accounts

Tue, 04/24/2018 - 09:19
Security Fears as TSB Customers Able to Access Other Accounts

Nearly two million UK banking customers are reportedly experiencing difficulties using their account online, with some able to access other users’ funds after an IT upgrade went wrong.

The IT project was trailed by TSB for some time and customers were told they wouldn’t be able to access accounts over the weekend as it transferred systems from an old Lloyds Bank platform to a new state-of-the-art in-house IT system.

However, reports suggest customers are still affected by the IT snafu, with many taking to social media to vent their anger.

There have been numerous calls for compensation, while one customer said he was given access to another user’s £35,000 savings account, £11,000 ISA and a business account on Monday night.

Regulators the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) are said to be investigating the incident.

The TSB website appears to be bereft of any advice or updates on the issue, which betrays poor planning and incident response.

However, an official statement had the following:

“We are currently experiencing large volumes of customers accessing our mobile app and internet banking which is leading to some intermittent issues with people accessing our services. We are really sorry for the inconvenience this is causing our customers and want them to know we are working as hard and as fast as we can to resolve this problem.”

Bill Curtis, chief scientist at software intelligence firm CAST, argued that many banks haven’t upgraded their IT systems because of their complexity.

“Moving forward, banks must dedicate time and effort to understand the risks held by their software architecture, especially those firms undergoing huge mergers or digital transformation projects,” he added. “We have already seen the ramifications of IT outages which cause undue stress to their customers.”

Mark Adams, regional vice-president for UK and Ireland at Veeam, claimed banks and other organizations must meet customers’ heightened expectations about service levels and downtime.

“Customers need the confidence and trust that digital transactions and the handling of data will always work as expected. With the GDPR only a month away from being enforced, this is a timely reminder for businesses to ensure personal data is subject to the most rigorous of standards and service levels,” he argued.

“It appears from the reports today that customers were not notified of the breach and the errors, instead finding out for themselves when using the online platform of mobile application. This isn't acceptable.”

Categories: Cyber Risk News

UK Financial Sector Must Improve Collaboration: Report

Tue, 04/24/2018 - 08:30
UK Financial Sector Must Improve Collaboration: Report

The UK finance industry must improve collaboration with government and law enforcement to disrupt the cybercrime business model more effectively, according to a new report from KPMG and UK Finance.

The report, Staying ahead of cybercrime, claimed that the industry spent a whopping $360 billion on IT in 2016 and spends three times more on cybersecurity than other sectors.

However, as cyber-criminals get better at finding the gaps in the way financial services firms work, the industry must come together to better address the problem.

While organized crime is agile, flexible, transnational and able to recruit and reward success, banks and similar are faced with an IT skills crisis, highly regulated processes, legacy systems and legal constraints, the report argued.

The answer is to work together to make the hackers’ business model less profitable, by reducing their revenue, increasing their cost base and/or making operations more risky.

This could be done by: raising the bar on security across the industry; regulatory reform to improve automated information sharing; active defense to deny criminals access to infrastructure; improving fraud and cybersecurity links to block exploitation of data; blocking cash-out and monetization faster; and working with police to increase the personal risk to the cyber-attacker.

Kirill Kasavchenko, EMEA principal security technologist at Netscout Arbor, broadly agreed with the report’s findings.

“Looking forward, we must admit that some aspects of security threats cannot be mitigated by any single organization alone. Terabit-scale DDoS attacks of 2018 are a good example: if the trend of growing DDoS attacks stays, there will be just a few organizations globally able to handle the threat. Therefore, the industry should be open to collaborate not only on best practices and information exchange, but also on the collective mitigation,” he argued.

“All organizations should be aiming for this proactive stance, rather than wishing attacks away. This is true for all sectors, but more so for financial services organizations who are particularly at risk due to the amount of sensitive data and money they store. The simple truth is that we can do more together than separately.”

Mark Weir, director of cybersecurity at Cisco UK & Ireland, claimed the collaborative spirit could be found in two industry groups: the Cybersecurity Tech Accord and the Cyber Threat Alliance.

“Ultimately, cyber-criminals are continuing to get more sophisticated and powerful, and we need to join forces if we are to ever regain control of the cyber-storm,” he argued.

Categories: Cyber Risk News

Healthcare Targeted by Hacker Group Orangeworm

Mon, 04/23/2018 - 15:55
Healthcare Targeted by Hacker Group Orangeworm

Previously slithering beneath the radar of security researchers, newly identified hacker group Orangeworm has surfaced as a problem for the healthcare sector. Symantec Telemetry noted that the group has infected only a small number of victims. It largely goes after healthcare more than any other industry, with the majority of its victims (17%) located in the US.

The hacker group has been targeting organizations across several industries since 2015, though it is deliberate and methodic in choosing their victims. According to Symantec, almost 40% of their victims are comprised of healthcare providers, pharmaceuticals, IT solution providers for healthcare and healthcare industry equipment manufacturers.

In addition to companies in the US, several organizations throughout Europe have been targeted, with the largest (5%) numbers in the UK and Hungary. Saudi Arabia, India and the Philippines have reported higher rates of victims, yet the location of 10% of those attacked remains unknown. 

Once the group gained access to the victim's environment, the attackers executed a range of commands that allowed them to gather a wide range of information. Commands include displaying recently contacted addresses per available network interface, system version information, IP address configuration information for any available network interfaces and account policy and network configuration information. 

They then deployed a backdoor Trojan that installed Kwampirs malware. Symantec wrote, "The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear."

Though an older method, Kwampirs aggressively self-propagates, which has proven to be a viable attack method on legacy systems, common across the healthcare industry. It's interesting to note that copying itself over network shares and cycling through the extensive command-and-control (C&C) servers are what Symantec considers noisy, suggesting that Orangeworm wasn't really worried about being detected.    

"Symantec says it does not have any information that could help determine the threat group’s origins, but the company believes Orangeworm is likely conducting corporate espionage," Security Week reported.

After analyzing the attacks over the last several years that Orangeworm has been active, Symantec believes that this is either an individual or a small group, not a state-sponsored actor.

Categories: Cyber Risk News

Infrastructure of APT Group Crouching Yeti Uncovered

Mon, 04/23/2018 - 14:29
Infrastructure of APT Group Crouching Yeti Uncovered

The well-known Russian-speaking advanced persistent threat (APT) group Crouching Yeti, has long been targeting servers worldwide. But today Kaspersky Lab announced it has uncovered infrastructure used by the group, also known as Energetic Bear.

Since 2010, Kaspersky Lab has been tracking the APT group renowned for targeting energy facilities across the globe. The goal of the group has been to gain access to valuable data from victim systems, which they've done successfully most often by using watering hole attacks, where the attackers injected websites with a link redirecting visitors to a malicious server.

Multiple servers outside of the industrial sector from organizations in Russia, the US, Turkey and European countries had been compromised in 2016 and 2017 and used as intermediaries to conduct attacks on other resources.

"In the process of analyzing infected servers, researchers identified numerous websites and servers used by organizations in Russia, U.S., Europe, Asia and Latin America that the attackers had scanned with various tools, possibly to find a server that could be used to establish a foothold for hosting the attackers’ tools and to subsequently develop an attack. Some of the sites scanned may have been of interest to the attackers as candidates for waterhole," Kaspersky Lab wrote in a press release

Intruders scanned a wide range of websites and servers, using publicly available tools for analyzing servers, and researchers also discovered a modified sshd file with a preinstalled backdoor that was used to replace the original file and then authorized with a master password.

“Crouching Yeti is a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organizations through watering hole attacks, among other techniques. Our findings show that the group compromised servers not only for establishing watering holes but also for further scanning, and they actively used open-sourced tools that made it much harder to identify them afterwards,” said Vladimir Dashchenko, head of vulnerability research group Kaspersky Lab ICS CERT.

“The group’s activities, such as initial data collection, the theft of authentication data and the scanning of resources, are used to launch further attacks. The diversity of infected servers and scanned resources suggests the group may operate in the interests of the third parties,” Dashchenko added.

More details on this recent Crouching Yeti activity can be found on the Kaspersky Lab ICS CERT website.

Categories: Cyber Risk News

Gmail Spam Campaign Annoying, Not a Hack

Mon, 04/23/2018 - 14:13
Gmail Spam Campaign Annoying, Not a Hack

When users take a look through their sent messages, they aren’t always searching for an email they sent. The security-minded user is looking for any messages that they did not send out. That’s how some Gmail users recently discovered a spam message campaign.  

Several users in a Gmail help forum reported that they had found spam emails distributed to unrecognized addresses with subject topics ranging from bitcoin and funeral insurance to weight loss and growth supplements for men. Despite what it seems, these accounts were not hacked. 

The accounts were spamming themselves with a trick spammers can use to bypass Gmail’s spam filters. In addition to the help forum, users also flocked to Twitter to let others know.  

One user reported changing their password only to have the spam messages sent again. Users who have two-factor authentication enabled reported the same issue. A Google spokesperson assured users that their accounts had not been hacked, reporting to Mashable that it was a “spam campaign impacting a small subset of Gmail users.” 

“This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident,” Google said. 

All of the emails have reportedly been sent via, a Canadian telecommunications company. When contacted, a TELUS spokesperson said, “We have identified spam emails being circulated that are disguised to appear as if they are coming from We are aware of the issue and can confirm the messages are not being generated by TELUS, nor are they being sent from our server. We are working with our third-party vendors to resolve the issue and are advising our customers not to respond to any suspicious emails.” 

Users who find the messages should continue to report them as spam.

Categories: Cyber Risk News

A Quarter of UK Manufacturers Suffer Cyber-Attack Losses

Mon, 04/23/2018 - 09:55
A Quarter of UK Manufacturers Suffer Cyber-Attack Losses

A quarter of UK manufacturers have suffered financial or other business losses stemming from a cyber-attack, according to a new study from industry body EEF.

The organization and AIG commissioned think tank the Royal United Services Institute (RUSI) to compile its Cyber-Security for Manufacturing report.

Of the 48% of manufacturers who claimed to have been struck by a cyber-incident, 24% said they suffered losses and the same number claimed their security processes were strong enough to repel any attack.

However, visibility into the scale of the problem appears to be a challenge. Some 41% claimed they don’t have access to enough information to assess their true risk exposure, while 12% said they don’t have the technical or managerial processes in place to assess risk.

A further 45% said they don’t have access to the right security tools.

The stats are concerning given that the manufacturing industry employs 2.6m people in the UK, accounting for 10% of the country’s output and 70% of its R&D, according to EEF.

Over a third (35%) of the vast majority (91%) of respondents who claimed they’re investing in digital transformation said cyber-risk was holding them back.

There’s also a clear and pressing need to demonstrate improvements in cybersecurity to increasingly demanding supply chain partners.

Over half (59%) of respondents said they’ve been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% have asked the same of a business within their supply chain.

A worrying 37% of manufacturers said they could not do this if asked today.

“The importance of the manufacturing sector to the security of the UK economy cannot be overstated,” said RUSI director general, Karin von Hippel. “Increasing digitization creates further opportunities, but also exposes us to potential vulnerabilities to cyber-attacks, whether from criminals or nation-state adversaries. The sector needs to recognize these risks and respond accordingly.”

Categories: Cyber Risk News

SunTrust Investigates Malicious Insider Breach

Mon, 04/23/2018 - 09:17
SunTrust Investigates Malicious Insider Breach

US regional banking giant SunTrust is notifying 1.5 million customers that some of their personal data may have been stolen by a malicious insider.

The Atlanta-headquartered financial services firm issued a formal statement on Friday, claiming that it is offering ongoing identity protection from Experian free of charge for all current and new customers, following the discovery.

“The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed,” it explained.

“The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver's license information. SunTrust is also working with outside experts and coordinating with law enforcement.”

Chairman and CEO, Bill Rogers, apologized for the incident and claimed the company had “heightened” monitoring of users’ accounts and increased other unnamed security measures.

“While we have not identified significant fraudulent activity, we will reinforce our promise to clients that they will not be held responsible for any loss on their accounts as a result,” he said in a statement.

"Our priority is protecting our clients and maintaining their trust. Beyond this incident, we want to help all SunTrust clients combat the increasing concern about identity theft and fraud, wherever it may occur."

The Experian IDnotify package being offered to customers includes credit monitoring, dark web monitoring, identity “restoration assistance” and $1m identity theft insurance.

Insiders were blamed for over a quarter (28%) of breaches analyzed in the most recent Verizon Data Breach Investigations Report, although there was no breakdown of how many were malicious and what proportion was down to negligence.

However, over-three-quarters (76%) of breaches were said to be financially motivated.

Categories: Cyber Risk News

Kaspersky Lab Rails Against Twitter Ad Ban

Mon, 04/23/2018 - 08:47
Kaspersky Lab Rails Against Twitter Ad Ban

Twitter has banned ads from Russian AV company Kaspersky Lab, claiming the firm’s business practices are at odds with the platform.

The decision was related in a short letter sent to the firm at the end of January, according to CEO Eugene Kaspersky.

“At Twitter we believe in freedom of expression and in speaking truth to power. We also want to ensure that people feel safe when they interact with our site, and that advertisers bring value to our users,” it read.

“Accordingly, Twitter has made the policy decision to off-board advertising from all accounts owned by Kaspersky Lab. This decision is based on our determination that Kaspersky Lab operates using a business model that inherently conflicts with acceptable Twitter Ads business practices.”

Although the firm is allowed to remain an organic user on the site, Kaspersky expressed disbelief at the decision and said he has been unable to get further clarification from Twitter on its reasoning.

“One thing I can say for sure is this: we haven’t violated any written — or unwritten — rules, and our business model is quite simply the same template business model that’s used throughout the whole cybersecurity industry: We provide users with products and services, and they pay us for them,” he added. “What specific (or even non-specific) rules, standards and/or business practices we violated are not stated in the letter.”

Kaspersky likened the ban to online censorship and claimed Twitter’s actions were playing into the hands of cyber-criminals, as the firm’s tweets help to promote its research on breaking threats such as WannaCry.

Twitter subsequently told Reuters that its decision was also influenced by a Department of Homeland Security (DHS) assessment that Kaspersky Lab products may pose a national security threat.

In the past it has also banned ads from Kremlin-backed Russian media outlets Russia Today and Sputnik.

“You’re only shooting yourself in the foot when you cater to the geopolitical noise and start refusing to promote material on false pretences,” Kaspersky responded.

“No matter how this situation develops, we won’t be doing any more advertising on Twitter this year. The whole of the planned Twitter advertising budget for 2018 will instead be donated to the Electronic Frontier Foundation (EFF). They do a lot to fight censorship online.”

While Twitter has banned certain Russian companies from advertising on its platform, it still allows Kremlin-backed trolls to spread disinformation. A Whitehall report last week reportedly revealed a 4000% increase in activity from several accounts following the nerve agent attack in Salisbury.

Categories: Cyber Risk News

Irony of Leaky App at #RSAC Not Lost on Attendees

Fri, 04/20/2018 - 16:40
Irony of Leaky App at #RSAC Not Lost on Attendees

Every once in a while, 280 characters can make people scratch their heads. Learning about a security flaw in a mobile app designed for a security conference is one of those things that people find puzzling. Or not. 

Many members of the cybersecurity community are feeling a wide range of emotions – from unsurprised to angry – in the aftermath of learning about a leaky RSAC app. Few, however, are really shocked by the reported breach. 

Sophos’s NakedSecurity reported that a Twitter user at RSAC 2018 discovered a security problem in the conference app. RSAC tweeted a confirmation of the breach confessing, Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation.” 

The database was discoverable via an unsecured API that could be accessed via credentials hard-coded into the app. According to Twitter threads, the security researcher who discovered the flaw messaged RSAC to alert them to some security issues with their conference app. Only six hours later, the researcher thanked both Eventbase Tech and RSAC for quickly fixing the data leak, applauding the great response time and confirming that the attendee data was no longer accessible through the reported method. 

It's not uncommon for a conference to encourage attendees to use a mobile app to navigate their way through the exhibits, speakers, and additional events, even though the week's schedule and other pertinent details of the event are available on the conference website. Some conferences will advise downloading the app for "last-minute changes or updates." Many do, especially at a conference like RSAC, because there’s an inherent trust that the mobile app for a security conference is safe. But no technology is ever completely free from risk, which attendees learned the hard way back at RSAC 2014 when a mobile application exposed the personal information of attendees.

Ironically, a Google search for “RSA leaky conference app” resulted in a link to an RSAC presentation by a Kaspersky Labs security researcher who spoke earlier this week about leaking ads. The description of his talk? “Most developers currently use HTTPS to protect user data. But that doesn’t mean their apps are secure.”

Categories: Cyber Risk News

NIST Launches Search for Lightweight Cryptographic Champions

Fri, 04/20/2018 - 15:37
NIST Launches Search for Lightweight Cryptographic Champions

The search for Lightweight Cryptographic Champions is on now that the National Institute of Standards and Technology (NIST) has launched a call for submissions of previously published and analyzed algorithms that will help set standards to better secure the entire market of the Internet of Things (IoT). 

Protecting the tiny networks within IoT devices demands a new class of lightweight cryptography, which is why NIST has kicked off its effort to find lightweight solutions to this heavyweight challenge of IoT security. 

One of the challenges in defending IoT devices is that most cryptographic systems were designed for desktops and servers, not the now-often-used smaller devices that have more limited computational resources. These devices, though, are everywhere, from critical infrastructure to medical devices to cars and common household electronics. In large part, they are vulnerable to cyberattacks because the are so difficult to secure. 

This week, NIST announced its push to establish viable solutions to the problem of securing data in the myriad gadgets across the IoT’s rather small and inexpensive networked devices. “Creating these defenses is the goal of NIST’s lightweight cryptography initiative, which aims to develop cyrptographic algorithm standards that can work within the confines of a simple electronic device,” NIST wrote in a blog post. 

“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” Matt Robshaw, a technical fellow at Impinj, told NIST. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.” 

NIST computer scientist Kerry McKay said, "The IoT is exploding, but there are tons of devices that have nothing for security. There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”

Still in its draft form, the Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process details the proposed requirements and evaluation process and will soon allow the community to weigh in on the draft guidelines. Feedback received on the draft will inform the final submission process. 

One specification NIST is looking for in the submitted algorithms is an authenticated encryption with associated data (AEAD) tool so that recipients can verify the integrity of both the encrypted and unencrypted information in a message. Additionally, in order to reduce costs, any hash function must share resources with the AEAD.

NIST will accept comments on the draft for 45 days before releasing a formal document, after which time it anticipates accepting submissions over a six-month period. 

Categories: Cyber Risk News