Info Security

Subscribe to Info Security  feed
Updated: 24 min 9 sec ago

Akamai: Credential Stuffing Attacks Against Media Services Surging During #COVID19

Fri, 08/21/2020 - 13:45
Akamai: Credential Stuffing Attacks Against Media Services Surging During #COVID19

Credential stuffing attacks against the media industry have grown substantially from an already large base during the COVID-19 pandemic, according to experts from Akamai speaking on a recent webinar.

This is borne out of a rise in people using online media during the lockdown, such as increased consumption of TV and streaming services for entertainment and news coverage regarding the pandemic. The growth in attempts to access media accounts is similar to spikes Akamai has observed in credential stuffing attacks during holiday periods over previous years, when such services are at their most popular. Martin McKeay, editorial director at Akamai, said: “This has become a more relevant discussion in 2020 than any year before it.”

In Q1 of 2020, Akamai figures showed that publishing was the sector most targeted by this type of attack due to a surge in popularity for news content about COVID-19.

Credential stuffing is essentially the use of a long list of usernames and passwords stolen from other sites to try and access accounts. This is often a successful tactic as many people use the same credentials across multiple online accounts.

Steve Ragan, security researcher at Akamai, outlined the scale at which this method was being used prior to the pandemic, with 88 billion credential stuffing attacks recorded between January 1 2018 and December 31 2019. Of these, 20% targeted the media industry, which in many ways is particularly vulnerable compared to other sectors.

“Unfortunately, password recycling and reuse in the media industry is very common,” Ragan explained. “A lot of users don’t see media accounts as something they need to protect and they often share these accounts with their friends and family.”

The ways in which cyber-criminals are doing this has also become more sophisticated, including merging of old and new lists of usernames and passwords against media services and the use of automation and bots to launch malicious login attempts at scale.

Ragan also noted that credential stuffing actors are increasingly acting as businesses, responding to market demands and even offering credentials for free to clients in order to build their reputation.

Defending against this type of attack is no easy task. Akamai highlighted that one way they’re helping protect their customers is to try and drive up the compute costs whenever a bot is running mass credentials against an account. “It’s trying to drag that cost up, disincentivizing that attack,” said Patrick Sullivan, senior director of global security strategy at Akamai.

Ultimately, however, the only effective way of preventing these types of attacks taking place is by encouraging better password habits amongst users of media services. Sullivan commented: “As long as we’re using simple usernames and password credentials for authentication we will have these types of attacks and adversaries will evolve and become more evasive in the way they go about validating credentials.”

Ragan added: “No matter what you may think about the risk proposition an account has when it comes to media and streaming services, the criminals don’t care. The criminals will target anything and everything that isn’t nailed down. There’s always value in something, particularly when they can take an account over.”

Categories: Cyber Risk News

Volume of Stolen Cards on Dark Web Drops 41%

Fri, 08/21/2020 - 11:15
Volume of Stolen Cards on Dark Web Drops 41%

The volume of stolen payment cards up for sale on the dark web has plummeted in the first half of 2020 thanks in part to changing shopping patterns driven by COVID-19, according to Sixgill.

The cyber-intelligence company’s biannual Underground Financial Fraud report is distilled from its analysis of underground carding and other sites.

It revealed that around 45.1 million cards were put up for sale in the first half of 2020, a 41% decline from the 76.2 million offered on dark web sites in the second half of 2019.

The firm explained that much of the decline could be linked to unusual law enforcement activity in Russia which has led to the closure of several underground sites during the period.

Although Russian police are usually content to let cybercrime activity flourish inside the country as long as it is directed at foreign targets, investigators arrested 25 and shut dozens of online marketplaces back in March.

These accounted for 54% of the world’s stolen card trade, according to Sixgill.

“It’s likely that many of the accused criminals had drawn the ire of authorities by violating domestic criminal laws,” wrote cyber-threat intelligence analyst, Michael-Angelo Zummo.

“In arresting the suspects, police found illicit narcotics, firearms, fraudulent Russian passports and Russian law enforcement identification. In other words, these select criminals seemed to have violated the first rule of cybercrime: don’t hack where you eat.”

However, more dark web markets subsequently rose to take the place of those shut down.

The dramatic drop in card volumes in fact can’t be explained by increased Russian law enforcement activity alone.

Rather, fewer people are now shopping in stores where point-of-sale malware and skimmers may be installed to steal their card data, said Zummo.

These “dumps” are used to clone cards for face-to-face fraud, whereas only internet-based attacks such as Magecart can harvest the CVVs cyber-criminals need to commit online fraud, he explained.

In Europe, where EMV is more widespread, online attacks and fraud are by far the most popular type.

“Activity on dark web marketplaces shows that the coronavirus lockdowns have changed the fraud landscape. As in-person shopping declined, so did the types of credit card fraud that depended on it,” Zummo concluded.

“This sequence of events points to a shifting strategy for cybersecurity professionals, and consumers as well. Merchants need to make sure they have tools in place to prevent e-skimming attacks like Magecart, and, as in-person shopping continues to tick upward, retailers should only use chip-enabled point-of-sale systems.”

Categories: Cyber Risk News

Firms Splurge on Security and Staff During Pandemic

Fri, 08/21/2020 - 10:30
Firms Splurge on Security and Staff During Pandemic

A majority of global organizations have been spending more on cybersecurity and compliance during the pandemic, whilst also reporting increased pressure to reduce costs, according to new Microsoft data.

The Redmond giant polled nearly 800 business leaders from organizations with over 500 employees in the UK, US, Germany and India to better understand how COVID-19 has impacted cybersecurity.

The report revealed that 58% had increased security budgets and 65% upped compliance spending, although 81% said they’re also under pressure to cut overall security costs. Organizations with mostly on-premises environments are apparently more likely to feel squeezed on budgets.

In terms of technology spending, multi-factor authentication (20%), endpoint device protection (17%) and anti-phishing tools were the top targets for investment.

That tallies with respondents’ claims that phishing has been the biggest risk, with 90% citing it.

In the longer term, 40% said they are prioritizing investments in cloud security tools such as Cloud Access Security Broker (CASB), Cloud Workload Protection Platform and Cloud Security Posture Management (CSPM), followed by data security (28%) and anti-phishing (26%).

Part of the increased spending on security has also gone on new hires, according to the Microsoft data.

Over two-fifths (42%) said they’d brought in new talent to help out, while 40% outsourced the work. On the other side, 31% said they’d instituted a hiring freeze and 19% had downsized their security team.

The pandemic has also accelerated plans to transition to a Zero Trust environment for more than half (51%) of respondents, perhaps linking back to the large numbers investing in MFA.

“Security technology is fundamentally about improving productivity and collaboration through inclusive end user experiences. Improving end user experience and productivity while working remotely is the top priority of security business leaders (41%), with ‘extend security to more apps for remote work’ identified as the most positively received action by users,” argued Microsoft Security general manager, Andrew Conway.

“Not surprisingly, then, ‘providing secure remote access to resources, apps and data’ is the biggest challenge. For many businesses, the journey begins with MFA adoption.”

Categories: Cyber Risk News

Former Uber CSO Charged Over Alleged Breach Cover-Up

Fri, 08/21/2020 - 09:15
Former Uber CSO Charged Over Alleged Breach Cover-Up

A former Uber CSO has been charged with obstruction of justice after allegedly concealing the facts of a major 2016 breach of the firm from law enforcement, regulators and senior management.

Joseph Sullivan, 52, of Palo Alto, was the car hire giant’s security supremo from April 2015 to November 2017.

The criminal complaint against him, filed in a federal court on Thursday, alleges that he failed to inform the FTC about the compromise of personally identifiable information (PII) on 57 million customers and drivers.

Ironically, he apparently received an email from the hacker informing him of the breach just 10 days after having completed testimony to the regulator about a previous 2014 breach.

Instead of coming clean, Sullivan is alleged to have paid the cyber-criminals $100,000 in Bitcoin through a bug bounty program and forced them to sign an NDA claiming falsely that no data was taken or stored.

The indictment claimed that Uber personnel were able to discover the identities of two of the attackers, whose real names were placed on the NDA.

The Department of Justice complaint said that in August 2017, Sullivan briefed Uber’s new CEO, Dara Khosrowshahi, about the incident via email, editing the summary prepared by his team. It apparently stated falsely that payment had been made only after the hackers had been identified and also removed details about the type of data taken.

Sullivan now faces one count of obstruction of justice, carrying a five-year maximum term, and one count of misprision of a felony, which could land him three years. The latter offense is one in which an individual fails to inform the authorities of a felony they know has been committed.

The two hackers pleaded guilty last October to computer fraud conspiracy charges.

“Silicon Valley is not the Wild West,” said US attorney David Anderson. “We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

Casey Ellis, CTO and founder of Bugcrowd, argued that the case may have negatively influenced the public’s view of the hacking community and of bug bounties.

“Historically, hackers were strictly viewed as malevolent, but the industry’s understanding of ethical hackers within the industry has progressed within the last few years to include the much larger community,” he added.

“In fact, there’s a global community of ethical hackers who operate above board and in good faith, and are committed to helping organizations improve their security postures.”

Categories: Cyber Risk News

Surge in Demand for Cybersecurity Services a Boost for UK Startups

Fri, 08/21/2020 - 08:25
Surge in Demand for Cybersecurity Services a Boost for UK Startups

Funding for UK cybersecurity startups has surged by 940% since the start of the COVID-19 lockdown, with this sector experiencing substantial growth because of the health crisis, according to a new report by recruitment firm Robert Walters.

The research, entitled Cybersecurity - Building Business Resilience, showed that the £496m raised by investors in these companies in the first half of 2020 almost reached the entire figure for 2019 (£521m). These figures were first outlined by LORCA last month.

The new report also highlighted UK government figures showing there has been a 44% rise in companies providing cybersecurity products and services, suggesting that a new business in this area is registered every week on average.

The growth of this sector is largely due to the shift to home working during COVID-19, according to the report, with 48% of UK companies stating they do not have adequate cybersecurity capabilities to enable this safely in the long-term.

As a result, there was a 6% rise in vacancies in cybersecurity roles during the first half of 2020 in the UK. Cybersecurity consultancies were also found to be one of the fastest growing types of startups in the UK, with organizations increasingly looking externally for these services due to the skills shortage in the sector, estimated to be at 140,000 across Europe.

Ajay Hayre, senior consultant technology at Robert Walters, commented: “Historically, IT security has represented only 5% of a company’s IT budget but due to remote working and transition to online or cloud-based solutions, cybersecurity has been thrust to the center of business continuity plans – having proved its worth in enabling business objectives during lockdown.

“Not only will every company see the benefit of having this expertise in-house, but they will be looking externally for tools, services and advisors to help guarantee the future-proofing of their business by way of solid and robust cybersecurity provisions.”

Categories: Cyber Risk News

Sophisticated Peer-to-Peer Botnet Discovered

Thu, 08/20/2020 - 18:18
Sophisticated Peer-to-Peer Botnet Discovered

Researchers have discovered a sophisticated new peer-to-peer botnet that has been actively breaching Secure Shell servers since January. 

FritzFrog, which executes a worm malware written in Golang, was unearthed by a team at Guardicore. The malware deployed by the botnet is multi-threaded and fileless and disconcertingly leaves no trace on the disks of the machines it infects.

It creates a backdoor in the form of an SSH public key, providing the attackers with ongoing access to victim machines.

Organizations in the government, education, and finance industries have all been targeted by the botnet, which has managed to successfully breach over 500 servers. Victims include a railway company and universities in the United States and Europe.

Researchers wrote: "FritzFrog has attempted to brute force and propagate to tens of millions of IP addresses of governmental offices, educational institutions, medical centers, banks and numerous telecom companies."  

The botnet is considered to be sophisticated because its peer-to-peer (P2P) implementation was written from scratch and is completely proprietary. Researchers believe that this shows the botnet was created by "highly professional software developers."

FritzFrog uses a decentralized infrastructure to distribute control among all its nodes. 

Describing how the botnet functions, researchers wrote: "In this network with no single point-of-failure, peers constantly communicate with each other to keep the network alive, resilient and up-to-date. P2P communication is done over an encrypted channel, using AES for symmetric encryption and the Diffie-Hellman protocol for key exchange."

Guardicore Labs has developed a client program in Golang capable of intercepting FritzFrog’s P2P communication. However, researchers have not been able to pin down the origins of the malicious botnet.

"While we are unable to attribute the FritzFrog botnet to a specific group, we have found some resemblance to a previously-seen P2P botnet named Rakos," wrote researchers.

Guardicore Labs first noticed this malicious campaign in January as part of its ongoing Botnet Encyclopedia research. Researchers have identified 20 different versions of the malware executable. 

Offering advice on how to avoid becoming a FritzFrog victim, researchers wrote: "Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication."

Categories: Cyber Risk News

Phone Hack Traumatizes Neighbours Actress

Thu, 08/20/2020 - 17:32
Phone Hack Traumatizes Neighbours Actress

Australian actress Olympia Valance has fallen victim to a "traumatizing" phone hack that resulted in private images being shared without her consent.

Valance, famed for her appearances on Playing for Keeps and for her role as Paige Smith on TV soap opera Neighbours, issued a statement on Instagram confirming that her smart phone had been broken into.

The 27-year-old star, who is the younger sister of actress and singer Holly Valance, described the cybercrime as a "profound violation" that has had a long-lasting effect on her life.  

"I am writing this as confirmation that I know I have become a victim of cyber-crime,'' she posted on Instagram.

"I have been dealing with this for over a year now since my phone was compromised by a hacking of private images, which were then published online."

For Valance, the cybercrime has resulted in repeated re-victimization that she said has increased her anxiety. 

"I have since had to deal with this again recently, when new images were recirculated, retraumatizing me and pushing my anxiety into a space it has never been," said the actress.

Valance said that efforts by herself and her legal team to stop the spread of the images had not been successful. 

"Such offences involve leaking (in my case hacking) images without consent in order to humiliate, degrade, control and blackmail a person,'' she added.

"As a victim of this, I have had to fight to try and contain these images from reaching the broader public and for media not to publish stories using my name."

Valance said that people should be able to take intimate photographs without fear that someone will steal them and manipulate them for financial gain.

"Taking intimate photos for yourself, or to share with a partner is not a shameful thing to do. Stealing them and sharing them online without consent is," said Valance.

"We have to figure out a way to stand together and say it's hacking and destruction of illegally obtained images, not the taking of them that is shameful."

Valance emphasized that she had done nothing wrong and had nothing to apologize for. 

Categories: Cyber Risk News

US Cyber Command Gets New Operational Tools

Thu, 08/20/2020 - 16:29
US Cyber Command Gets New Operational Tools

A new set of cyber-operational tools has been successfully integrated into US Cyber Command's virtual cyber-training platform, the Persistent Cyber Training Environment (PCTE).

Col. Tanya Trout, outgoing director of the Joint Cyber Training Enterprise, said that newly integrated operational tools will be used during missions.

Cyber Command’s warriors can log in to the PCTE from anywhere in the world to conduct individual or collective cyber-training and rehearse missions. The platform was launched in February, and the environment was used for the first time in June for Cyber Flag, Cyber Command’s premier annual tier 1 exercise.

In July, the platform joined an integration pilot program with the program offices of the Unified Platform system and the Joint Cyber Command and Control system.  

Speaking during a virtual industry day for PCTE on August 19, Trout said: “This integration allowed for execution of small team tactics while performing active hunt of advanced persistent threat within a post-compromised range environment."

She added that the integrated PCTE enabled teams "to train and rehearse using available Joint Cyber War-fighting Architecture (JCWA) that gives us really the ability to train as we fight."

Demand for the PCTE has increased significantly since the outbreak of COVID-19 made social distancing part of daily life. Trout said that from March to May 2020, the number of new PCTE accounts had doubled. 

Since its delivery to Cyber Command, the PCTE has participated in another pilot geared toward mission rehearsal. Trout told the virtual industry day audience that members of the Cyber National Mission Force had used the PCTE to expand their mission rehearsal scope, scale, and fidelity in a virtualized adversarial network, helping them to calculate future requirements.

The Cyber National Mission Force is one of Cyber Command’s elite units aligned against specific threat actors and charged with protecting the United States in cyberspace.

Lt. Gen. Stephen Fogarty, commander of Army Cyber Command, told the industry day audience that the PCTE offers several advantages over the National Training Center. These advantages are that the virtual cyber-training environment has the ability to replicate an actual opponent and that its mission rehearsal capability allows users to input details of real prior operations and train against or upload malware discovered during operations.

Categories: Cyber Risk News

Poor Cybersecurity Behaviors Prevalent Amongst UK Remote Workers

Thu, 08/20/2020 - 14:32
Poor Cybersecurity Behaviors Prevalent Amongst UK Remote Workers

Nearly a quarter (23%) of UK office workers rely on unauthorized devices to work from home, a new study by CybSafe has found.

The research revealed that poor personal cybersecurity practices are commonplace amongst workers operating outside of corporate environments, which is worrying as home working is expected to become far more prevalent following the COVID-19 crisis.

The survey of 600 UK workers also found that one in 10 (9%) share their work devices with other people in their household.

One in five (20%) said they do not keep collaboration and video conferencing software, such as Zoom, Webex and Microsoft teams up-to-date, while 23% do not ensure software on devices connected to their home WiFi network, including work computers, are updated.

These bad habits could be linked to a lack of adequate cybersecurity training for staff, according to the report, with 65% of workers revealing that they have not received any training on keeping data secure when working remotely in the last six months. Additionally, only 37% of workers had received a working from home cybersecurity policy from their employer by the start of lockdown.

Oz Alashe, CEO of CybSafe, commented: “We now live in a world of borderless organizations where increasing numbers of people work remotely. Many are mobile. The lines between personal and professional are increasingly blurred, and everyone is at greater risk.

“Some staff are making cybersecurity mistakes in their homes, and businesses will need to adjust their cybersecurity approaches accordingly. What may have worked in the past doesn’t necessarily work now. Cybersecurity policy as well as awareness and behavior change programs will all require updates based on today’s working conditions.”

Dr John Blythe, head of behavioral science at CybSafe, added: “While our latest research suggests that many UK businesses have been forthcoming with changes to cybersecurity strategy, these haven’t taken place on the scale that we would have hoped for.”

In June, a study by CyberArk found that employee work from home habits are putting businesses at greater risk of cyber-attack.

Categories: Cyber Risk News

US Reveals New North Korean BLINDINGCAN RAT

Thu, 08/20/2020 - 11:10
US Reveals New North Korean BLINDINGCAN RAT

The US government is warning of a new remote access trojan (RAT) being used by North Korea’s notorious Lazarus Group.

The latest Department of Homeland Security (DHS) malware analysis report (MAR) is the product of an investigation between DHS body the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

Named as “BLINDINGCAN,” the RAT was used by Lazarus (aka Hidden Cobra) earlier this year to target government contractors for intelligence on “key military and energy technologies,” according to the report.

“The malicious documents employed in this campaign used job postings from leading defense contractors as lures and installed a data gathering implant on a victim's system. This campaign utilized compromised infrastructure from multiple countries to host its command and control (C2) infrastructure and distribute implants to a victim's system,” it added.

“CISA and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber-activity.”

The report urged any users or admins that spot activity associated with the RAT to report it to CISA or the FBI’s CyWatch immediately and prioritize mitigation.

Among recommended best practices for organizations listed by CISA were up-to-date AV and operating systems, strong password policies, user web monitoring, access control lists, disabling file and printer services, improved phishing awareness and more.

North Korean state-sponsored hackers have become increasingly belligerent, prompting a flurry of alerts from US government agencies.

An April advisory warned organizations to be on the lookout for crypto-jacking, extortion campaigns, cyber-enabled financial theft and money-laundering scams.

Meanwhile, a US army report from last month claimed that many of Pyonyang’s elite Cyber Warfare Guidance Unit operatives are actually working from outside the hermit state in countries such as Belarus, China, India, Russia and Malaysia.

Categories: Cyber Risk News

Facebook Expands Policy to Take Down QAnon and US Militias

Thu, 08/20/2020 - 10:10
Facebook Expands Policy to Take Down QAnon and US Militias

Facebook has removed or restricted over 10,000 Groups, Pages and accounts across the social network and Instagram linked to conspiracy theory outfit QAnon as part of a major new crackdown on it and US militias and anarchist groups.

The social media giant announced an expansion of its Dangerous Individuals and Organizations policy yesterday to cover those who have “demonstrated significant risks to public safety” but are not necessarily designated as a dangerous organization and banned outright.

“Under this policy expansion, we will impose restrictions to limit the spread of content from Facebook Pages, Groups and Instagram accounts. We will also remove Pages, Groups and Instagram accounts where we identify discussions of potential violence, including when they use veiled language and symbols particular to the movement to do so,” it continued.

“While we will allow people to post content that supports these movements and groups, so long as they do not otherwise violate our content policies, we will restrict their ability to organize on our platform.”

In Facebook’s armory are the options of: removing outright Pages, Groups and Instagram accounts linked to the movements, limiting recommendations to others, lowering their ranking in news feeds and search results, banning their Pages from running ads and preventing them selling products or raising funds in other ways.

“As a result of some of the actions we’ve already taken, we’ve removed over 790 groups, 100 Pages and 1500 ads tied to QAnon from Facebook, blocked over 300 hashtags across Facebook and Instagram, and additionally imposed restrictions on over 1950 Groups and 440 Pages on Facebook and over 10,000 accounts on Instagram,” Facebook said.

However, the new policy is not only intended to cover the right-wing conspiracy theory movement, but also “militia organizations and those encouraging riots, including some who may identify as Antifa.”

The social network said it has removed over 980 groups, 520 Pages and 160 ads from Facebook and restricted over 1400 hashtags related to these organizations.

As well as encouraging violence, these groups have also been accused of spreading misinformation. QAnon, for example, has been blamed for spreading lies about COVID-19 and famously purports that Donald Trump is secretly battling an underground faction of celebrities and Democrats that are members of a global pedophile ring.

Categories: Cyber Risk News

Businesses Opt to Outsource Cybersecurity Services

Thu, 08/20/2020 - 09:20
Businesses Opt to Outsource Cybersecurity Services

More than 50% of UK businesses are opting to use outsourced partners for cybersecurity services.

According to research by Skurio, there is a lack of in-house expertise in the area of digital risk protection – the ability to monitor risks, threats and breaches outside the network. The research found 80% of respondents stated their teams lack skills and knowledge in this area.

Jeremy Hendy, CEO of Skurio, said: “We’re facing exceptional circumstances in terms of working practices and how we need to manage cyber-threats, and this is placing significant pressures on businesses of all sizes. We know that the luxury of in-house security teams, on call 24/7 to monitor for external threats, is simply out of reach for many organizations.”

He said that it is encouraging that organizations not only recognize the importance of protecting their customer data, but that there’s also an appetite for innovative and disruptive technologies to protect against new threats.

Commenting, Ed Williams, EMEA director of SpiderLabs at Trustwave, said he was not surprised by the 52% figure, as cybersecurity skills are highly specialized and can take a number of years to gain. 

“The adoption of the cloud is a key area of focus for organizations and they are increasingly looking for security-related expertise to aid that journey,” Williams said. “They understand that they can’t afford to get this wrong as getting it wrong could have serious consequences for them. When we also look more recently, the COVID-19 pandemic highlighted that when organizations need to act quickly, they also need to balance that with ensuring that decisions and actions have been done securely.

“For example, there have been recent instances when we looked at VPN configurations and discovered a number of critical issues that could have been catastrophic, fortunately, we were able to identify these issues and they were remediated quickly.”

Faiz Shuja, co-founder and CEO of SIRP, called outsourced partners “an absolute lifeline for overstretched teams” as while cost is a driving force, “organizations also rely on the range of services that partners provide to protect against advanced attacks, to a level they can’t always replicate in-house.”

The Skurio research also found that as organizations manage more digital channels and use more third-party suppliers, the threat vectors rise exponentially. “Understanding your digital risk – all those threats on the deep and dark parts of the web – is a great first step in protecting against them. Businesses are much better prepared to mitigate an attack if they see it coming,” Hendy added.

In an email to Infosecurity, Sam Roguine, director at Arcserve, said there are always organizational and procedural steps that businesses must follow to have a complete cyber-threat protection strategy, but the tools and solutions would be too costly to insource, therefore he understands why outsourcing is so popular.

Asked about the 80% statistic around teams lacking skills and knowledge in the area of digital risk protection, Roguine said IT and cloud transformation initiatives put most organizations into a “transitional” state with up to a dozen different IT infrastructures, including the locations of where workloads and data reside.

“This causes an exponential rise of complexity when using a traditional approach to business continuity, data protection and cybersecurity – and a proportional increase of required relevant skills and knowledge. IT and other teams just cannot keep up internally,” he said. “That is why one of the primary trends is to simplify, consolidate and outsource.

“For example, hyper-converged infrastructure (HCI) is a way to combine all the pieces of a data center into one instead of planning – and making mistakes with – multiple components. Similarly to HCI, appliances and purpose-built devices combine preconfigured hardware and software, creating a shortcut from no solution to full implementation without a myriad of details. Also, cloud services (IaaS, SaaS, BaaS) provide a way to focus on business tasks, while letting the service provider handle the backend. All of these make IT more effective and allow teams to close skill and knowledge gaps, including business continuity, risk management, cybersecurity and data protection.”

Categories: Cyber Risk News

Experian Data Breach Hits 24 Million Customers

Thu, 08/20/2020 - 08:30
Experian Data Breach Hits 24 Million Customers

Experian has suffered a major breach of customers’ personal information, affecting an estimated 24 million South Africans and nearly 800,000 businesses.

The credit reporting agency revealed in a statement yesterday that an individual fraudulently claimed to represent one of its client and then requested “services” from the firm, prompting the release of the data.

Experian sought to play down the seriousness of the incident by claiming that this information “is provided in the ordinary course of business or which is publicly available.” It did not clarify exactly what customer records were taken, but said that the trove did not contain consumer credit or financial information.

Experian was also tight-lipped on the number of customers affected, although one of the authorities it has engaged with following the incident, non-profit the South African Banking Risk Information Center (SABRIC), claimed 24 million consumers and 793,749 business entities were involved.

It explained that domestic banks have been working behind the scenes to identify how their customers may have been impacted.

“The compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts,” said SABRIC CEO, Nischal Mewalall. “However, criminals can use this information to trick you into disclosing your confidential banking details.”

SABRIC urged affected Experian customers not to reveal any additional personal information if they receive unsolicited contact online or by phone, and to change their passwords regularly.

Experian claimed that the individual involved in the incident has already had their “hardware” confiscated and the stolen data has been secured and deleted.

“Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes,” it added. “Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

It confirmed that its own IT infrastructure had not been compromised.

This isn’t the first major data breach to hit the credit reporting giant. Back in 2015, 15 million North American customers and applicants had their personal data, including Social Security numbers and ID details, stolen.

Categories: Cyber Risk News

Chrome to Warn Users Completing Suspicious Forms

Wed, 08/19/2020 - 17:46
Chrome to Warn Users Completing Suspicious Forms

Users of Google's cross-platform web browser Chrome are to be shown a warning when they start to complete a form that may not be secure. 

Beginning in M86, Chrome will warn users when they try to complete forms on secure (HTTPS) pages that are submitted insecurely. These forms, which are described on the Chromium Blog as “mixed forms,” have been deemed by Google to be unsafe.

post published on the blog on Monday reads: "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users’ security and privacy.

"Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data."

In an effort to protect users from inadvertently sharing details with malicious actors, Chrome will be disabling the autofill facility on mixed forms. 

However, the change will not affect the autofill process used by Chrome's password manager.

"On mixed forms with login and password prompts, Chrome’s password manager will continue to work," the blog states. "Chrome’s password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely than to reuse passwords."

From M86, when a user begins filling out a mixed form, they will be shown warning text alerting them that the form is not secure. The text will read: "This form is not secure. Autofill has been turned off."

If a user ignores the warning and tries to submit a mixed form, they will see a full-page alert highlighting the potential risk and asking them to confirm if they’d like to go ahead with the submission.

Explaining why Chrome is making these changes, Chrome Security Team's Shweta Panditrao wrote: "Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms."

Tim Wade, technical director, CTO Team at Vectra, commented: “By creating simple, straightforward warnings that users understand demystifies security for the end user, which makes the web a much safer place.”

Categories: Cyber Risk News

Majority of ICS Vulnerabilities Can Be Exploited Remotely

Wed, 08/19/2020 - 17:11
Majority of ICS Vulnerabilities Can Be Exploited Remotely

New research has found that more than 70% of industrial control system (ICS) vulnerabilities disclosed in the first half of 2020 can be exploited remotely.

The discovery was unveiled in the inaugural "Biannual ICS Risk & Vulnerability Report," released today by Claroty, a global leader in operational technology (OT) security.

The report details the assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the first half of 2020, affecting a total of 53 vendors. 

Claroty's research team found that ICS vulnerabilities published by the NVD in 2020 increased by 10.3% from the 331 published last year. 

The number of ICS-CERT advisories published over the same period had increased much more significantly, with 32.4% more in 2020 than the 105 published in 2019. 

Alarmingly, more than 75% of vulnerabilities published in the first half of 2020 were assigned high or critical Common Vulnerability Scoring System (CVSS) scores.

“There is a heightened awareness of the risks posed by ICS vulnerabilities and a sharpened focus among researchers and vendors to identify and remediate these vulnerabilities as effectively and efficiently as possible,” said Amir Preminger, vice president of research at Claroty. 

“Our findings show how important it is for organizations to protect remote access connections and internet-facing ICS devices, and to protect against phishing, spam, and ransomware, in order to minimize and mitigate the potential impacts of these threats.”

Researchers found that more than 70% of the vulnerabilities published by the NVD can be exploited remotely, illustrating the rarity of fully air-gapped ICS networks that are isolated from cyber-threats. 

The most common potential impact was remote code execution (RCE), found to be possible with 49% of vulnerabilities. This was followed by the ability to read application data (41%), cause denial of service (DoS) (39%), and bypass protection mechanisms (37%).

Of the 385 unique Common Vulnerabilities and Exposures (CVEs) included in the advisories, energy had 236, critical manufacturing had 197, and water and wastewater had 171.

Categories: Cyber Risk News

New Vulnerability Threatens IoT Devices

Wed, 08/19/2020 - 16:52
New Vulnerability Threatens IoT Devices

A team of IBM hackers has discovered a vulnerability in a component used in millions of Internet of Things (IoT) devices. 

The flaw in Thales' (formerly Gemalto) Cinterion EHS8 M2M module was uncovered by IBM's X-Force Red team. 

After further testing, Thales confirmed that the newly detected vulnerability also affected nine other modules within the same product line of the EHS8, including the BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, and PLS62.

The modules found to carry the weakness are mini circuit boards that enable mobile communication in IoT devices. These modules run and store Java code that frequently includes sensitive data like encryption keys and passwords. 

If a malicious actor managed to steal such information from the modules, they could potentially get control over a device or gain access to the central control network to conduct widespread attacks.

Thales is one of the leading manufacturers of components that enable smart devices to connect to the internet, verify identities, and securely store information. The company's vast portfolio connects over 3 billion devices per year ranging from cars to medical monitoring devices.

Explaining how such an attack could work on a medical device, a spokesperson for X-Force Red said: "Cybercriminals could manipulate readings from monitoring devices to cover up concerning vital signs or create false panic. In a device that delivers treatment based on its inputs, such as a pacemaker or insulin pump, they could also over or underdose patients."

If attackers used the flaw to target energy and utilities devices such as smart energy meters, the consequences could potentially be just as dire.

The spokesperson said: "Attackers could hack smart meters to deliver falsified readings that increase or reduce a monthly bill. With access to a large group of these devices through a control network, a malicious actor could also shut down meters for an entire city causing wide-reaching blackouts that require individual, in-person repair visits, or even worse, damage to the grid itself." 

The vulnerability was discovered by X-Force Red in September 2019 and discussed by the team at their virtual Red Con 2020 event earlier today. 

In February 2020, Thales released patch CVE-2020-15858 to customers. 

Categories: Cyber Risk News

SpyCloud Raises $30m in Funding to Tackle Surge in Online Fraud During #COVID19

Wed, 08/19/2020 - 14:45
SpyCloud Raises $30m in Funding to Tackle Surge in Online Fraud During #COVID19

Cybersecurity firm SpyCloud has raised $30m from a Series C round of funding as it looks to further develop its fraud detection and prevention capabilities.

The new investment was led by Centana Growth Partners and included contributions from M12 (Microsoft’s venture fund), Altos Ventures, Silverton Partners and March Capital Partners.

The announcement follows a surge in online scams during the COVID-19 crisis, with cyber-criminals exploiting the increasing reliance on internet services during the lockdown. SpyCloud revealed that in the early days of the pandemic, it uncovered 139,000 new web domains related to the virus. There have also been multiple new scams carried out by fraudsters, including posing as government agencies to launch phishing attacks and undertaking credential stuffing attacks on food delivery apps.

The security company therefore wants to expand its product and engineering teams and create new technologies to protect against these kinds of activities.

“Criminals work together to steal information and find creative ways to monetize it. As a result, even the most careful and sophisticated organizations are vulnerable,” explained Ted Ross, SpyCloud CEO and co-founder. “SpyCloud will continue to pursue new and innovative ways to stay ahead of criminals and provide solutions that make the internet a safer place for individuals and businesses.”

SpyCloud added that the takeover of business accounts to commit fraud via stolen employee and customer credentials is one of the most common methods used by cyber-criminals, and this threat has grown as a result of the rise in home working during the pandemic.

Eric Byunn, partner at Centana Growth Partners who has joined SpyCloud’s board, commented: “With so many people now working from home and multiple family members sharing devices with a mix of personal and professional applications, attack surfaces have increased significantly. Criminals are certainly taking full advantage of these new opportunities to exploit your employees and their family members. SpyCloud is dedicated to protecting everyone from attacks and preventing them before they happen.”

Categories: Cyber Risk News

Data Firm Exposes 235 Million Social Media Profiles

Wed, 08/19/2020 - 13:01
Data Firm Exposes 235 Million Social Media Profiles

A social media data broker has exposed the public-facing profiles of 235 million users via a misconfigured online database, according to researchers.

Comparitech teamed up with Bob Diachenko to uncover three identical copies of the data on August 1, left online with no password or other authentication required to access it.

In total, 192 million profiles were scraped from Instagram, 42 million from TikTok and four million from YouTube.

Each record contained some of the following: profile name, real name, profile pic, account description, age, gender and more.

Around a fifth of profiles also contained either a phone number or email address, according to Comparitech.

Although the personal information contained in this trove was all publicly available, social media companies like Facebook have threatened legal action in the past against automated data scraping firms that subsequently sell their collections to marketers.

Comparitech said that although access to the exposed database was shut down three hours after its first disclosure, it’s unclear how long the information was left online without a password.

The firm warned that, if discovered, the trove could have been used by spammers or to make follow-on phishing attacks more convincing.

The data itself was traced back to Social Data, a firm that apparently sells data on social media influencers to marketers. It was at pains to point out that the exposed information was taken from publicly available profiles, even though their consolidation into a single database makes it a more attractive prospect for cyber-criminals.

Comparitech also claimed that “evidence” suggests a connection between the data and a now-defunct company known as Deep Social which was removed from Facebook and Instagram marketing APIs in 2018 and threatened with legal action.

Social Data reportedly denied any connection between the two companies, although some of the original datasets were labelled as follows: “accounts-deepsocial-90” and “accounts-deepsocial-91.”

Categories: Cyber Risk News

Police and Industry Take Down $42m “Bulletproof Exchange”

Wed, 08/19/2020 - 09:35
Police and Industry Take Down $42m “Bulletproof Exchange”

Bitcoin exchange Binance has revealed how it joined forces with Ukrainian police to take down a cybercrime gang thought to be responsible for laundering $42m in cryptocurrencies.

First announced by the Cyberpolice of Ukraine back in June, the raid led to the arrest of three residents from the Poltava region. They have been accused of laundering the funds via 20 online cryptocurrency exchanges over the 2018-19 period.

More than $200,000 worth of computer equipment, weapons, ammunition and cash were seized during the swoop.

In a blog post published on Tuesday, Binance explained that the police operation was the product of a first-ever collaboration with its Binance Sentry security team and Security Data Science analytics arm.

The “Bulletproof Exchanger” project began in early 2020.

“One of the Security Data Science team’s tasks is to identify transactions between Binance and high-risk entities, including what we refer to as ‘bulletproof exchangers.’ These cryptocurrency platforms often serve as the cash-out points for cryptocurrency operations connected to financial crimes and other fraud,” it explained.

“Similar to bulletproof hosting services, which are web hosting providers with more lenient rules regarding what can be hosted on their servers, bulletproof exchangers are well-known for their lenient know-your-customer (KYC) and anti-money laundering (AML) policies.”

In conjunction with Blockchain analytics firm TRM Labs, Binance looked for entities handling large transaction volumes linked to high-risk categories like ransomware attacks, exchange hacks and darknet-related activities.

Its big data analysis provided police with crucial evidence for its investigation, which remains ongoing.

“As the digital currency market has a large number of financial transactions with money obtained from hacker attacks on international companies, the spread of malware, theft of funds from the bank accounts of foreign companies and individuals, the Department of Cyberpolice with Binance and its methodological assistance, promotes more prompt detection of those involved in such offenses,” said police chief Oleksandr Hrynchak.

Categories: Cyber Risk News

Marriott Hit by Another Class Action Lawsuit After Breach

Wed, 08/19/2020 - 09:00
Marriott Hit by Another Class Action Lawsuit After Breach

Marriott International is set for another courtroom showdown with victims of a major data breach announced in 2018, affecting 339 million global customers.

Tech journalist Martin Bryant, 41, has reportedly filed a collective action lawsuit on behalf of the estimated seven million former guests of the hotel giant from England and Wales whose personal data was compromised.

Represented by law firm Hausfeld, Bryant is claiming damages for loss of control of personal data, under the UK’s Data Protection Act 1998 and the EU General Data Protection Regulation, according to the Financial Times.

“Personal data is increasingly critical as we live more of our lives online but, as consumers, we don’t always realize the risks we are exposed to when our data is compromised through no fault of our own,” he told the paper.

The suit comes on the back of other legal action in the US and Canada.

It comes after UK data protection regulator the Information Commissioner’s Office (ICO) has come in for criticism after delaying its final decision on the size of the fine to be levied.

The ICO originally issued a notice of intent in July 2019 to fine Marriott £99m for security failings that led to the incident. However, the company has since made representations to the regulator in an attempt to dial down the fine.

Originally extended to May 2020, the final decision from the ICO is now likely in September.

However, the latest legal action proves that regulatory fines are only one small part of the total costs of a data breach that victim organizations can expect to pay.

“As well as being subject to GDPR and the legal, financial and reputational implications that come with it, organizations have a duty of care to their customers,” argued Stuart Reed, UK director of Orange Cyberdefense.

“Preventative measures are simply not sufficient. There must also be ongoing monitoring of key systems and robust response procedures in place to minimize the impact should the worst happen and a breach occur.”

Categories: Cyber Risk News