Breaches get worse and attacks keep happening, as threat actors have all of the capability thanks to user’s habits.
Speaking at Infosecurity North America in New York City, author, speaker and chief hacking officer of KnowBe4 Kevin Mitnick said that threat actors are able to collect information on their victims all too easily, and when evaluating a company it is also straight-forward to determine suppliers, customers, partners, vendors and employees to enable a social engineering exercise.
In his opening keynote “How to fight back against hacker attacks”, Mitnick cited several examples of how to socially engineer a company and bypass traditionally strong security tools like anti-virus and two-factor authentication.
In one example, he said he had been hired by a Canadian retailer for an assessment and he was able to determine who an HR provider was, so he set up a cloned website using the Canadian .ca domain, called a member of the company and told them they were “standardizing top level domains” and to try .ca first, which allowed him access to all payroll data, and all salary history.
He said: “The attack was not so interesting to me, but the longest part of it was waiting for the DNS to propagate on the .ca domain, which took about half an hour.”
Mitnick was also able to demonstrate how to bypass two-factor authentication as “most companies offer one type of authentication” in the case of Paypal invoice which asked for credentials and once these were intercepted, so was the victim’s session cookies. To prevent this, he recommended using U2F protocol tokens, but said that these can also be stolen.
Overall, Mitnick demonstrated how simple it is to hijack a victim with a small amount of personal data when doing testing, and to defend against such attacks, to try using tactics that “the threat actors use” and create tools that the employees want to use.
The CEO and finance director of film company Pathé’s Dutch operation were sacked after falling victim to a sophisticated BEC scam that netted the criminals €19m ($21m), it has emerged.
Finance boss Edwin Slutter and chief Dertje Meijer are now suing for unfair dismissal, according to reports based on newly released court documents.
The scam followed a tried-and-tested path, with fraudsters spoofing the email address of a higher-up: in this case the CEO of the French film company, back in March.
Emailing Meijer, they claimed the firm was in acquisition talks with a Dubai company and needed to send a confidential payment of €826,521 ($931,600) which would be repaid at the end of the month.
After consulting with Slutter, and receiving an invoice for said amount, Meijer authorized the payment, made to a bank account operated by “Towering Stars General Trading LLC” in Dubai.
Three more payments followed, until by March 27, Pathé Nederland had paid over a total of €19.2m, according to DutchNews.nl.
The Paris HQ eventually caught wind of what happened and the two were sacked by the month’s end.
In the end, the court decided that Slutter should not have been sacked on the spot. It reportedly ordered that he be paid his monthly salary of €13,500 ($15,200) from March until the end of the year, when his contract should be formally dissolved.
The case is yet another warning of the perils of BEC, also known as CEO fraud, which has netted cyber-criminals over $12.5bn since 2013.
Stephen Burke, CEO at Cyber Risk Aware, argued that senior executives should work on the assumption that they are being actively targeted.
“Details on C-Suite executives are often publicly available which makes it incredibly easy for cyber-criminals to customize social engineering attacks on a company. They could send believable phishing emails or call the company to establish an executive’s whereabouts to inform the type of messaging to use in their attack,” he explained.
“To overcome this, organizations must make security awareness a priority, so C-Level executives can learn how to follow best practice, as well as being empowered to report anything suspicious.”
A car repair company employee has been sentenced to six months in jail for data theft, in the first case prosecuted by the UK’s privacy watchdog.
Mustafa Kasim used his colleagues’ log-ins to access thousands of customer records without permission, while working for Nationwide Accident Repair Services (NARS), according to the Information Commissioner’s Office (ICO).
He continued to do so after moving to another firm which used the same software system (Audatex), used to estimate the cost of vehicle repairs.
It’s not clear why Kasim accessed these details, which included customers’ names, phone numbers, vehicle and accident information. However, an investigation was begun after NARS noted an increase in customer complaints about nuisance calls — indicating their personal data had been sold on to a third party.
Although the ICO would normally prosecute such cases under the GDPR-based Data Protection Act 2018 or its antecedent, in this case it chose to do so under the Computer Misuse Act 1990.
Kasim pleaded guilty to a charge of “securing unauthorized access to personal data” between January 13 2016 and October 19 2016 at London’s Wood Green Crown Court.
“Although this was a data protection issue, in this case we were able to prosecute beyond data protection laws resulting in a tougher penalty to reflect the nature of the criminal behavior,” said Mike Shaw, group manager of the ICO’s Criminal Investigations Team.
“Data obtained in these circumstances is a valuable commodity, and there was evidence of customers receiving unwarranted calls from claims management companies causing unnecessary anxiety and distress. The potential reputational damage to affected companies whose data is stolen in this way can be immeasurable. Both Nationwide Accident Repair Services and Audatex have put appropriate technical and organisational measures in place to ensure that this cannot happen again.”
Questions have been raised about Cathay Pacific’s incident response after new details emerged about the world’s biggest airline data breach.
The Hong Kong carrier had originally claimed last month that it “discovered unauthorized access” to data on 9.4 million passengers and “took immediate action to investigate and contain the event.” Reports at the time suggested that the firm first found evidence of the activity in March and confirmed data had been accessed two months later.
That would have been bad enough, but in a new filing to the Hong Kong legislature (LegCo) this week the airline admitted that after discovering the initial suspicious activity it “was subject to further attacks which were at their most intense in March, April and May but continued thereafter.”
“These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” it continued. “[They] also expanded the scope of potentially accessed data, making the challenge of understanding it more lengthy and complex…”
Under local laws, Cathay wasn’t mandated to notify the authorities immediately of a breach, but the fact that it couldn’t work out until August which passenger data had been accessed or exfiltrated will raise some eyebrows.
The SAR’s privacy commissioner said last week that it was launching a compliance investigation into the firm’s handling of the breach, and new data protection laws may be rolled out in the city-state.
The airline is said to be working with 27 regulators in 15 jurisdictions following the incident, although it could escape GDPR investigation given the initial intrusion was discovered in March.
The airline's assurance that there’s been no evidence of misuse of the stolen data is meaningless, according to High-Tech Bridge CEO, Ilia Kolochenko.
“Worse, it may mean that someone very smart is exploiting the data in a non-trivial way, and probably very detrimental for the victims. Moreover, the stolen data can appear for sale on the black market at any time,” he added.
“Taking into consideration the gravity of the breach, customers of Cathay will likely have no reliable recourse apart from promptly changing all their credit cards and IDs. Cathay may face numerous class actions and individual lawsuits from disgruntled customers, in parallel with severe monetary sanctions imposed by regulators from different countries.”
One UK law firm is already preparing a class action suit.
The Seattle-based retailer suffered a data breach in which a wide range of personal information was exposed. In addition to disclosing employee names, their Social Security numbers and dates of birth, checking account and routing numbers, salaries and more were also revealed.
Co-president Blake Nordstrom reportedly apologized to employees in an email in which he had notified staff about the data breach. According to a statement from the company, the anomalous activity was detected on October 9, 2018, after a contract worker had inappropriately handled some Nordstrom employee data.
What followed was what Terry Ray, CTO at Imperva, said was protocol worthy of a pat on the back. “Employee data was collected and given to a third party, most likely to manage direct deposits of wages, certainly not unusual in business and a necessary reason to gather such data.”
While the contract worker inadvertently exposed data, Nordstrom reportedly has taken appropriate action in responding to the incident, which is currently being investigated.
"Nordstrom’s own security team became aware of the exposure in a reasonable time. Many breaches and exposures aren’t identified for months or years and, often times, not disclosed in a reasonable amount of time," said Ray.
"Additionally, most breaches are identified by external researcher or law enforcement before the company; however, this is not the case with Nordstrom. Nordstrom knows what was exposed – employee data (names, addresses, banking details) – not customers' [data]. In more than half of breaches and exposures companies do not know what data was exposed or stolen. Nordstrom then took immediate steps to remediate, removing the contract worker and putting additional controls put in place."
Though no evidence of data theft has been discovered, the company has been proactive about notifying all employees of the incident.
"Taking that a step further, Nordstrom offered affected employees two years of identity theft protection, which companies often only offer post breach, for exposure. All in all, Nordstrom appears to be handling this exposure very responsibly. Kudos to them,” Ray said.
A security researcher at Imperva recently identified a vulnerability within Facebook that could have allowed other websites to extract private information about users and their contacts.
Discovered by Imperva security researcher Ron Masas, the vulnerability reportedly preyed on the unique cross-origin behavior of iframes, which embeds another HTML page into the current page. By manipulating Facebook’s graph search, it was possible to craft search queries that reflected personal information about the user.
“A unique feature of the uncovered bug is the exploitation of the iframe element within Facebook’s search feature. This allowed information to cross over domains, essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.
“Like the data exposed in the Cambridge Analytica breach, this data is attractive to attackers looking to develop sophisticated social engineering attacks or sell this data to an advertising company. Interestingly, the vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends.
Warning that the technique could increase in popularity throughout 2019, Masas added, "Bugs are usually found to circumvent authentication bypasses to gain access to personal information, but this bug enables attackers to exploit Facebook’s use of iframes to leak the user's personal information. Interestingly, this technique leaves almost no trace unlike authentication bypasses.”
According to Imperva, the vulnerability was reported to Facebook under its responsible disclosure program in May 2018. Masas worked with the Facebook security team to mitigate regressions and ensure that the issue was thoroughly resolved.
In a statement shared with TechCrunch, Facebook spokesperson Margarita Zolotova wrote, “We appreciate this researcher’s report to our bug bounty program. As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”
In an attempt to develop a set of shared principles for securing cyberspace, France’s president, Emmanuel Macron, launched the Paris Call for Trust and Security in Cyberspace at yesterday’s UNESCO Internet Governance Forum (IGF).
The Paris Call has the backing of more than 50 countries. Notably missing from the list are Russia, China and the United States. In addition to the many countries that have signed the declaration, private and civil organizations have made a commitment to support the collective effort to work on several initiatives, which include increasing prevention against and resilience to malicious online activity, protecting the accessibility and integrity of the internet and cooperating in order to prevent interference in electoral processes, according to the France Diplomatie.
“We condemn malicious cyber activities in peacetime, notably the ones threatening or resulting in significant, indiscriminate or systemic harm to individuals and critical infrastructure and welcome calls for their improved protection. We also welcome efforts by States and non-state actors to provide support to victims of malicious use of ICTs on an impartial and independent basis, whenever it occurs, whether during or outside of armed conflict,” wrote the Paris Call.
The willingness of supporting states to work together to prevent and recover from malicious attacks is indeed an admirable promise, but Paul Bischoff, privacy advocate at Comparitech.com said, “To be clear, countries who signed the pact did not agree to any specific rules, goals, or penalties. Instead, they agreed to figure all that out together at a later date. So the pact is mostly symbolic.”
A realistic concern Bischoff noted is the strong likelihood that Russia and China will not sign. “Many of the pact's measures imply taking action against them. Russia and China are the source of most of the world's malware and cyber-attacks, many of which are state sponsored. Russia in particular is at the forefront of everyone's mind when it comes to election hacking. The pact says it will try to 'prevent malign interference by foreign actors.' Who does 'foreign actors' refer to if not the Russians? 'Prevent ICT-enabled theft of intellectual property' is a finger-wag at China.
“The US is also involved in a fair deal of cyber-espionage, and it has its own interests to worry about. The US is home to most of the world's largest and most profitable tech and internet giants, many of which served as a medium for previous election hacking campaigns. This pact could seek to regulate them. And after seeing Trump walk away from the Paris Climate Accord, I'm not sure why anyone would be surprised at this result."
Though the intent of the call is to apply international humanitarian law to cyberspace, Colin Bastable, CEO of Lucy Security, said, “This is grandstanding by a politician, a nothingburger, made no more appetizing when juxtaposed with today’s other, more ominous, announcement that French civil servants will be embedded in Facebook. We can rest assured that personal cyber insecurity, the consumer issue of our times, will not be enhanced by either of these announcements from Paris.”
New research from SailPoint has revealed that poor staff cybersecurity behaviors within organizations are getting worse, despite a greater focus on security awareness in the workplace.
The firm quizzed 1600 global employees, discovering that 75% of respondents reuse passwords across both personal and professional accounts, a figure up from 56% in 2014. Interestingly, the percentage of 18-25-year-olds who admitted reusing passwords was even higher (87%), suggesting employees’ approaches to security are worsening as more millennials enter the workforce.
What’s more, almost a quarter (23%) of all those polled said they only change their work password two times or fewer a year and 15% would consider selling their workplace passwords to a third party.
In terms of frictions between the IT department and the rest of the workforce, more than half of respondents considered IT to be “a source of inconvenience,” whilst 13% would not immediately inform IT if they had been hacked.
Furthermore, SailPoint’s research suggested that new technologies are creating new areas of risk for organizations. Nearly half (48%) of respondents use or are planning to use AI chatbots/personal assistants at work, and 31% had deployed software without IT’s help.
Speaking to Infosecurity Bruce Hallas, security awareness, behavior and culture expert, and owner & principal consultant, Marmalade Box, said that password management is probably one of the security policies that employees receive consistent training on, so when 75% of employees reuse passwords across personal and professional accounts it raises questions about the effectiveness of current awareness raising and behavior improvement methods.
“Where organizations rely on employees to remember and then change their password periodically in line with policy, without a system prompt, you’re statistically likely to a high level of non-compliance,” he added.
“If 23% of respondents change their passwords twice or fewer times a year, but this is in line with their organizational policy, then that’s fine, but probably not ideal. If the 23% are in breach of their organization’s password policy then you’ve got to focus on why those behaviors prevail. A simple starting point might be [to ask] ‘do they even remember the policy’ after they’ve had their training.”
Juliette Rizkallah, CMO, SailPoint advised: “By taking an identity-centric approach to security, IT can gain full visibility and control into which applications and data that users, including both human and non-human bots, are accessing to do their jobs. This approach allows enterprises of all sizes to confidently address the tension between enablement and security exposed in our Market Pulse Survey.”
Security experts and trade unions have expressed doubts and concerns over some firms’ reported plans to microchip their employees.
Swedish firm Biohax is said to be in talks with several legal and financial firms in the UK to fit the rice grain-sized chips, which are implanted into the flesh between the thumb and forefinger.
They could then be used as an authentication device to enable or restrict access to certain parts of a building or facility.
“These companies have sensitive documents they are dealing with,” Biohax founder, Jowan Österlund is reported as saying. “[The chips] would allow them to set restrictions for whoever.”
The firm has already partnered with US firm Three Square Market in a voluntary scheme to chip its employees.
Another firm, UK-based BioTeq, has already chipped 150 users, although most are individuals, according to the Guardian.
However, both the CBI and TUC reportedly expressed concerns over the practice: the former arguing that “firms should be concentrating on rather more immediate priorities,” while the latter claimed it could be abused by employers to give them “even more power and control over their workers.”
In a longer article, the TUC went further, arguing: “we’d like to hear what security concerns could possibly justify the use of such technology on staff.”
It added that with costs per chip potentially reaching £260, the economic case for microchipping employees is also pretty flimsy.
“Intrusive surveillance undermines trust in the workplace by making people feel they’re always being watched,” it concluded.
“So instead of microchipping their workforce, bosses need to start engaging with staff and unions to make new technology work for everyone.”
Security experts were also unconvinced.
Outpost24 CSO, Martin Jartelius, argued that the chips could drive a dangerous false sense of security.
“While there is no doubt that this may ease the problem of employee two-factor tokens, as the chip is implanted under their skin and cannot be easily stolen, the assumption that something is less likely to be hacked because it’s under your skin is flawed and dangerous,” he added.
“It’s reasonable to assume that when something is implanted into a person it is less likely to be forgotten and to be stolen, but it doesn’t mean ‘because the microchip is in my thumb it’s less likely to get hacked.’ The very location of a microchip in your hand may actually lead to increased exposure, as the hands form the basis of our physical interaction with our surroundings.”
Some 60% of European retailers have seen an increase in fraud over the past year, despite the vast majority having prevention systems in place, according to Adyen.
The payments platform provider polled 5000 consumers and 500 retailers in the UK, Spain, France, Germany and the Nordics to compile its 2018 European retail report.
Over three-quarters said they “are prepared” for fraud or have active fraud prevention systems in place, with a majority looking to biometrics like fingerprint scanners (57%) and voice authentication (56%) to improve resilience.
However, current solutions appear to be failing given the rise in fraud across a majority of retailers surveyed. That’s bad news as consumer expectations around security grow higher.
Some 69% of European shoppers polled said they would avoid any brands hit by a data breach, for example.
The research also highlighted potential regulatory concerns in the market.
The EU’s Second Payment Service Directive (PSD2) mandates strict new authentication standards to help minimize fraud as well as implementation of 3D Secure 2.0 by 2019. However, while over 20% of retailers said they already comply and 27% are planning to in the next 12 months, nearly a quarter (24%) said they don’t have plans to do so.
“As technology makes the shopping experience more engaging and convenient, it also powers the sophisticated fraudsters. Retailers need to walk a very fine line of doing everything in their power to help prevent fraudulent transactions and protect their customers, but they also don’t want to be overly cautious and decline legitimate transactions,” explained Adyen’s UK MD, Myles Dawson.
“Payments technology is key in this regard. Machine learning and advanced data analysis plays a vital role in accurately identifying the shopper behind each transaction to reduce chargebacks and false positives.”
UK identity fraud fell in the first half of 2018 for the first time in five years, but fraud against online retail accounts rose by 24% year-on-year, alongside fraudulent applications for credit and debit cards (12%), according to Cifas.
Cyber-attacks are the number one business risk in the regions of Europe, North America and East Asia and the Pacific, according to a major new study from the World Economic Forum (WEF).
Its Regional Risks for Doing Business report highlights the opinions of 12,000 executives from across the globe.
While “unemployment or underemployment” and “failure of national governance” take first and second place respectively, cyber threats have moved from eighth in last year’s report to fifth this year.
It tended to be viewed as a greater risk in more advanced economies: 19 countries from Europe and North America plus India, Indonesia, Japan, Singapore and the United Arab Emirates ranked it as number one.
In Europe, the UK and Germany both placed cyber-attacks as the number one risk.
“When looking at the causes of breaches, it’s evident that email attachments, links and downloads are the most common methods used by hackers. Be it HR professionals opening infected CVs from unknown sources, or employees clicking links on malware-riddled social media sites on their lunch break, users provide hackers with an easy route to bypass security,” he added.
“These simple attack methods are still effective because the architecture cybersecurity is built on is fundamentally flawed, as it overwhelmingly relies on detecting these threats. We’re increasingly seeing zero-day and other polymorphic malware being used to evade detection. Even the more sophisticated detection-based tools that utilize machine learning, AI and behavioral analytics to identify anomalies and patterns can potentially struggle to determine what is good and what is bad – and are certainly never able to be 100% accurate.”
Mimecast cyber-resilience expert, Pete Banham, argued that attacks represent a clear risk to productivity and growth.
“New cyber-threats will continue to adapt to take advantage of weaknesses in systems and procedures, especially as global cloud computing vendors aggregate IT risks,” he said.
“Business continuity and cybersecurity are together now major boardroom issues. The only way to mitigate these new risks is to adopt a strategy of cyber-resilience that brings together threat protection, durability and recoverability.”
WannaCry ransomware is still the most widespread cryptor family and has hit almost 75,000 users as of Q3 2018, according to new research from Kaspersky Lab.
The firm discovered that since the WannaCry outbreak in May 2017 that cost the NHS £92m, the ransomware has affected 74,621 users across the globe and is still active one and half years on, accounted for 28% of all cryptor attacks in Q3 2018, a growth of more than two-thirds compared to Q3 2017.
“It is concerning to see that WannaCry attacks have grown by almost two-thirds compared to the third quarter of last year,” said David Emm, principal security researcher at Kaspersky Lab. “This is yet another reminder that epidemics don’t cease as rapidly as they begin – the consequences of these attacks are unavoidably long-lasting.”
Despite the WannaCry attacks highlighting the importance of patching to resist the EnternalBlue exploit that the ransomware leverages, Kaspersky Lab’s findings show that there still remain plenty of unpatched computers worldwide and that criminals continue to target them.
“Cyber-attacks of this type can be so severe that it’s necessary for companies to take adequate preventive measures before a cyber-criminal acts – rather than focus on recovery,” added Emm.
Kaspersky Lab’s advice for effective ransomware defense included:
- Updating your operating system to eliminate recent vulnerabilities and using a robust security solution with updated databases. It is also important to use a security solution that has specialized technologies to protect your data from ransomware
- If you have bad luck and all your files are encrypted with cryptomalware, it is not recommended to pay cyber-criminals, as it encourages them to continue their dirty business and infect more people’s devices. It is better to find a decryptor on the internet
- It is also important to always have fresh backup copies of your files to be able to replace them in case they are lost, and store them not only on the physical object but also in cloud storage for greater reliability
- To protect the corporate environment, educate your employees and IT teams, keep sensitive data separate, restrict access and always back up everything
- Last, but not least, remember that ransomware is a criminal offence. You shouldn’t pay. If you become a victim, report it to your local law enforcement agency
The implementation of major EU-wide security legislation took a major leap forward on Friday as the government officially identified the organizations that will be required to comply with the NIS Directive.
Known in full as the directive on the security of network and information systems, the law will be applied slightly differently by each member state.
A key driver for the directive is to improve baseline security among providers of critical infrastructure, known as “operators of essential services” (OES). It will help to do this with GDPR-like maximum fines of £17m or 4% of global annual turnover, and mandatory 72-hour notifications of serious incidents.
Although the directive came into force on May 10, Friday was the deadline for governments to identify these OES organizations, which cover several sectors: energy, transport, healthcare, water and digital infrastructure.
“The number of targeted intrusions into the UK’s critical infrastructure is increasing. Employing preventative cybersecurity solutions that seamlessly integrate security into control systems is therefore essential,” argued Palo Alto Networks CSO, Greg Day.
“The NCSC has made effective implementation of NIS a priority since it came into effect in May, issuing detailed guidance for both businesses and implementing agencies. Today’s step, whereby the UK government informs those entities considered operators of essential services, is another important milestone in the UK’s efforts on the hugely important issue of cybersecurity.”
Matt Walmsley, EMEA director at Vectra, welcomed the latest deadline as helping to force operators in key sectors to focus on improved security.
“Bad actors, and particularly those of nation states, are well-resourced, innovative and highly motivated, and organizations have limited time, finite human and technical resources and capabilities with which to protect their rapidly expanding attack surface,” he added.
“Nation states, or their sponsored proxies, have broad motivations, and expecting the unexpected is a difficult task. All organizations therefore need to realize that breaches are a case of if not when and so equip themselves to identify and respond to attacks to remediate them in their early stages before damage is done. It’s a tough and never-ending task for the defenders, and one increasingly requiring levels of automation and empowerment from artificial intelligence.”
A Chinese headmaster has been fired after secretly mining cryptocurrency using his school’s electricity supply, according to reports.
Hunan man Lei Hua had dismissed reports from teachers of excessive power consumption in the building as the fault of air conditioning units and heaters, according to the BBC.
However, when they found the eight cryptocurrency mining machines he had hooked up to the power supply, the game was up.
They reportedly ran up an electricity bill of 14,700 yuan (£1600) mining Ethereum 24 hours a day.
After laying out 10,000 yuan on just one mining machine and seeing the exorbitant electricity costs that resulted, Hua apparently decided to minimize his overheads by moving the operation to the school in summer 2017.
However, it not only ended up costing the school a fortune in energy bills but also reportedly overloaded the network, interfering with teaching.
Hua was fired last month, while his deputy, who tried to get in on the scheme by buying and plugging his own machine into the school computer room, was given an official warning.
The case highlights the impact of cryptocurrency mining on organizations, especially those whose servers may have been hijacked in cryptojacking attacks.
A Canadian university was forced to shut down its entire IT network recently after discovering the malware on its systems.
Those attacks are on the rise. McAfee revealed that coin mining malware detections rose 629% in the first quarter to more than 2.9 million samples, while Trend Micro reported a massive 956% increase between the first half of 2017 and the same period this year.
"Just like in this school, cryptomining operations could be running within your organization’s network — draining vast amounts of energy without your knowledge. IT teams need to be vigilant,” argued Barry Shteiman, VP of research and innovation at Exabeam.
“The best thing to do is look for anomalies in your electricity bill. You should also measure changes in your HVAC usage for heat dissipation, although this will be more difficult. Beyond that, look for sudden changes in capacity or usage, as well as significant deviations in pattern and velocity.”
He added that “entity analytics” tools could also be used to help spot the irregular network behavior indicative of a cryptomining attack.
The Bank of England (BoE) held a one-day “cyber resilience” exercise on Friday designed to test the UK banking sector’s ability to withstand a major attack.
In a brief statement, the BoE explained it had partnered with the Treasury, regulator the Financial Conduct Authority (FCA) and other industry bodies to run the event.
“This exercise forms a vital part of the sector-wide biennial process that seeks to ensure the industry is prepared for — and can respond effectively to —any major disruption stemming from a cyber incident, protecting the financial system on which the public relies,” it said. “The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole.”
The BoE’s Systemic Risk Survey for the first half of 2018 placed cyber incidents in joint second alongside geopolitical risk, with 62% of financial institutions citing them as a major risk to the UK’s financial system. That figure apparently stands at an all-time high.
Released in June, the study also revealed an increase in the number of respondents claiming that cyber-attacks are the risk most challenging to manage, to over half (51%).
The continued focus on industry-wide cyber stress tests like this was welcomed by industry experts, including ESET’s Jake Moore.
“Cyber-attacks aren’t a possibility, they are an eventuality, so we will never have enough people, systems or money to prevent or detect an attack,” he argued. “Therefore, you need to invest in training as well as multiple prevention techniques to make it work. However, it is not always as simple as that, so making training engaging and even fun adds impact to the way it sinks in and quickly makes it second nature.”
Pete Banham, cyber resilience expert at Mimecast, claimed that other sectors should think about running similar initiatives.
“The fact that firms aren’t being tested on a pass or fail basis is significant as it means they will be transparent about their current capabilities, rather than worrying about being exposed as unprepared. This will help them work towards being adequately prepared for large-scale cyber-attacks and ensure they have the right cyber-resilience strategy in place,” he argued.
“Hackers are always lying in wait, so we need to see more instances of sectors uniting to combat malicious attacks.”
Cryptocurrency mining has become a fairly easy way to manufacture currency, and according to Trend Micro, a new cryptocurrency-mining malware uses evasion techniques, including Windows Installer, as part of its routine.
In the cryptocurrency miner identified as Coinminer.Win32.MALXMR.TIAOODAM, researchers noted the use of multiple obfuscation and packing routines. The malware leverages the Windows platform, and though it has an overall low risk rating, the damage potential scored in the medium range.
While the results might be lucrative, the process is actually quite resource-intensive, which is one reason malicious actors continue to find ways to exploit other machines using mining malware. These malware have been largely successful in avoiding detection, particularly when combined with obfuscation routines, according to Trend Micro.
Credit: Trend Micro
Dropped by other malware or downloaded from the internet, the coinminer infects the user system after arriving as a Windows Installer MSI file. It then drops multiple files in the directory as part of its process and uses the CryptoNight algorithm for its coin-mining routing. Included in the files are a .bat file that shuts down any anti-malware program running on the machine, an .exe unzipping tool and a password-protected zip file that appears to be an icon (.ico) file.
Two additional files were revealed after the icon.ico was unpacked before the next part of the installation process began creating copies of the kernel file and a Windows USER component. Researchers noted that the installation uses Cyrillic rather than English text, though there is no concrete evidence indicating the region of origin.
“To make detection and analysis even more difficult, the malware also comes with a self-destruct mechanism,” the authors wrote. “It deletes every file under its installation directory and removes any trace of installation in the system. One notable aspect of the malware is that it uses the popular custom Windows Installer builder WiX as a packer, most likely as an additional anti-detection layer. This indicates that the threat actors behind it are exerting extra effort to ensure that their creation remains as stealthy as possible.”
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Department of Homeland Security (DHS), has issued a US-CERT alert for the JBoss Verify and EXploitation (JexBoss) tool, an open-source tool often used by red teams.
According to the alert, malicious actors are using JexBoss to test and exploit vulnerabilities not only in the JBoss Application Server (JBoss AS) but also in a variety of Java applications and platforms.
Written in the Python programming language, the JexBoss tool used in threat hunting automates all the phases of a cyber-attack, making it a powerful tool when used by threat actors. Attackers have reportedly used JexBoss in the SamSam ransomware campaign that targeted the healthcare industry.
Able to run from most standard operating systems, JexBoss allows an attacker to execute arbitrary OS commands on the target host, the CERT said. Through either installing a webshell, blindly injecting commands, or establishing a reverse shell, the attacker is able to submit OS commands.
In an exploit attempt, researchers were successful in the delivery, exploitation, installation, command-and-control and action on objectives phases, and NCCIC determined that JexBoss operates at all seven phases of the Cyber Kill Chain framework.
“It is very concerning to see that an open source tool created to detect vulnerabilities is now being used to test and exploit vulnerabilities in JBoss AS,” said Justin Jett, director of audit and compliance for Plixer.
“It is critical that IT professionals monitor the traffic on their servers where JBoss is installed. Specifically, they should be sure to take advantage of network traffic analytics to determine when non-authorized users or IPs are connecting to these devices directly and to ensure that firewall rules are being properly enforced. Should malicious actors gain access to the server, they can easily determine which vulnerabilities are available to exploit, and more importantly they may be able to change the behavior of the application. This could cause irreparable damage if the application is customer facing or contains sensitive information.”
Best practices for mitigation include ensuring that servers are not vulnerable to the exploits JexBoss uses. The NCCIC also recommends that users and administrators review AR18-312A for more information.
To more accurately assess the threats of cyber vulnerabilities, the National Institute of Standards and Technology (NIST) has partnered with IBM to use Watson’s artificial intelligence (AI) with scoring bugs.
The Common Vulnerabilities and Exposures (CVE) system assigns publicly known security vulnerabilities a score based on the severity of the flaw. The Common Vulnerability Scoring System (CVSS) qualifies the degree of the threat with a numerical ranking between 0.0 and 10.0. In order to evaluate the severity of the growing number of vulnerabilities reported each week, NIST announced that it will use IBM’s Watson. Relying on AI to assess the potentiality of exploitation and assign a CVSS will help to expedite the scoring process.
Because the number of vulnerabilities disclosed has skyrocketed from a couple hundred to several thousands per week, keeping pace with scoring the disclosures has become both laborious and time consuming, according to NextGov.
"With the mounting number of CVEs that enterprises are facing, utilizing Watson would allow enterprise CISOs to better navigate which CVEs are most likely to impact their organizations and apply resources to remediation on those controls. Knowing where to focus your time and budget as a CISO is key,” said George Wrenn, CEO, CyberSaint Security.
"We've seen firsthand the benefits of adopting the NIST Cybersecurity Framework (CSF) and the enormous agility benefits that AI-powered automation enables, particularly in helping avoid misdirecting time, unnecessary manual effort, and resources. We've also seen the power of dynamic threat intelligence that's identified and 'injected' into compliance programs on a control-by-control basis. This is a level of risk analysis that can only be done through the use of breakthrough tech and AI. It is no surprise NIST is delving into this area."
Matthew Scholl, chief of the NIST’s computer security division, reportedly said that Watson is expected to be assigning CVSS scores to most publicly reported vulnerabilities by October 2019 and that the AI system will replace the work of numerous human analysts.
“Applying AI, and in particular Watson, to the scoring of vulnerabilities will be useful for keeping up with the increased NIST work load. However, I don’t foresee this addressing the issue of organizations still not patching their systems in time,” said Gabriel Gumbs, VP of product strategy, STEALTHbits Technologies.
Rating the severity of publicly reported vulnerabilities has the potential to help prioritize which systems are patched first and how soon those patches are applied. Said Gumbs, “This program could go a step further and score both the inherent risk and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch and in cases where patches do not [yet] exist still reduce their exposure.”
Sextortion, spam, phishing and crypto scams dominated Q3 in email security, with phishing attempts soaring by 30 million, according to Kaspersky Lab.
The Russian AV company’s latest spam and phishing report revealed that its products had blocked 137 million redirects to phishing sites in the period, a 28% increase on the previous quarter.
Global internet portals (32%) and banks (18%) were the most abused types of business in these attacks. In some cases, hackers are taking advantage of the pop-up notifications that some browsers employ.
“It is mainly deployed by websites that collaborate with various partner networks. With the aid of pop-up notifications, users are lured onto ‘partner’ sites, where they are prompted to enter, for example, personal data. The owners of the resource receive a reward for every user they process,” the vendor explained.
“By default, Chrome requests permission to enable notifications for each individual site, and so as to nudge the user into making an affirmative decision, the attackers state that the page cannot continue loading without a little click on the Allow button. The danger is that notifications can appear when the user is visiting a trusted resource.”
Elsewhere, Kaspersky Lab noted the usual phishing ploy of capitalizing on newsworthy events to trick victims into clicking: such as the new iPhone launch.
There’s also been an uptick in phishing attacks targeting global universities for academic research and personal student data. The firm recorded attacks against 131 universities in 16 countries worldwide.
Q3 saw a surge in sextortion spam in which the malicious email uses some of the victim’s real details such as name, password or phone number, which have been bought off the dark web. This lends greater credibility to the emailer, who typically claims they have webcam pics of the user watching pornography and demands a Bitcoin payment to avoid them sending the footage to friends, family and contacts.
Finally, Kaspersky Lab noted a campaign using fake news content designed to trick users into transferring cryptocurrency into an account controlled by the hackers.
The top sources of spam in Q3 were China (13%), the US (11%) and Germany (10%)
A notorious cyber-criminal who went under the online moniker 'DerpTrolling' has pleaded guilty to a series of distributed denial of service (DDoS) attacks dating back almost five years.
Utah resident, Austin Thompson, 23, pleaded guilty this week in a federal court in San Diego to a charge of “damage to a protected computer.”
The attacks, which took place between December 2013 and January 2014, were targeted at online gaming companies including Sony Online Entertainment.
Thompson typically used the @DerpTrolling Twittter account to announce his intended corporate victims and to post screenshots confirming his handiwork.
According to the Department of Justice plea agreement, Thompson forced gaming servers and other equipment out of action for hours at a time in some cases, causing at least $95,000 in damages.
“Denial-of-service attacks cost businesses millions of dollars annually,” said California US attorney Adam Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”
The maximum penalty for Thompson’s crime is a decade behind bars and a $250,000 fine.
Kirill Kasavchenko, EMEA principal security technologist at Netscout Security, claimed that online gaming is a top target for DDoS-ers.
“Online gaming is a well-documented motivation for DDoS attacks. According to our annual Worldwide Infrastructure Security Report, it was ranked the top attack motivation in the service provider space, leaving extortion attempts and attack capability demonstration behind. Anyone who might be considering taking this wrong path needs to understand that they can be caught and held to account,” he argued.
“In the past, notorious hacking groups evaded justice despite causing huge disruption and financial damage. This plea deal hammers home the very real risk of launching a cyber-attack. Tracking techniques are evolving all the time, so there should be no doubt that you can be prosecuted for such malicious actions."