A new scam is impersonating WhatsApp and using the fraudulent claim that its victims will receive "free internet," according to ESET researchers.
“Researchers in Latin America received a message on WhatsApp stating that the app was giving away 1,000 GB of internet data to celebrate its anniversary. It shouldn’t come as much of a surprise when we say that it was a scam,” the report said and then looked at the situation in greater detail.
The URL seemed suspect to the researchers, who noted that it wasn't an official WhatsApp domain. “Even though businesses may sometimes run promotions through third parties, the rule of thumb here is to check on the company’s website to make sure any promotion is real and valid,” researchers added.
Indeed, clicking on the link delivers the user to a survey page with the WhatsApp logo at the top. Not surprisingly, those who fall for the scam and start answering questions are then invited to share the link with 30 friends in order to be entered in the drawing to win.
“Apparently their goal here is click fraud – a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign,” the report said. Because it can be repurposed to perform a variety of other functions, click fraud presents many different threats.
“Even though in this case we found no evidence that clicking the link led to the installation of malicious software or that there was any intention to phish for personal information, it doesn’t mean that this cannot change at any time.”
Researchers added that the domain used in this scam is also hosting other fraudulent offers from high-profile companies, including Adidas, Nestlé and Rolex.
Russian state-sponsored trolls have been in action again, this time co-ordinating fake news efforts on social media designed to influence last week’s Ukraine elections.
The news was revealed by Facebook’s head of cybersecurity policy, Nathaniel Gleicher.
The campaign in Ukraine focused on two main areas: one originating in Russia which led to the removal of 18 Facebook accounts, nine pages, and three groups; and another originating from Russia and the Luhansk region of Ukraine which led to the removal of 83 Facebook accounts, two pages, 29 groups, and five Instagram accounts.
In the former, those behind the operation created fake accounts, impersonated dead Ukrainian journalists and hid their true location as well as driving users to other websites. It involved frequent criticism of the Ukrainian government ahead of the presidential elections last week.
The second operation involved users posing as members of the Ukrainian military and focused on the conflict in the east of the country, centered around Luhansk.
However, the activity stretched well beyond Ukraine to the other side of the world.
Gleicher explained that his team was also forced to remove 12 Facebook accounts and 10 Facebook pages after spotting a fake news effort in Thailand designed to influence public opinion. It appears to have links with the Russian state.
“The people behind this small network used fake accounts to create fictitious personas and run pages, increase engagement, disseminate content, and also to drive people to off-platform blogs posing as news outlets,” he said.
“They also frequently shared divisive narratives and comments on topics including Thai politics, geopolitical issues like US-China relations, protests in Hong Kong, and criticism of democracy activists in Thailand. Although the people behind this activity attempted to conceal their identities, our review found that some of this activity was linked to an individual based in Thailand associated with New Eastern Outlook, a Russian government-funded journal based in Moscow.”
Facebook also removed 181 accounts and 1488 pages involved in a coordinated inauthentic activity campaign in Honduras. It traced back these efforts to social media managers in the government there.
The UK has been slammed for illegally copying and sharing a database of EU citizens, but is taking “practical steps” to address the issue, according to a new report.
European commissioner for security, Julian King, refused to cite the UK by name when challenged on the findings of a classified report revealed by EU Observer.
He told the site, “those are meant to be confidential discussions that we have with the individual member states."
However, King did say that measures were being taken to address the failings outlined in the report.
It apparently details how the UK broke data protection laws by making multiple copies of the EU’s Schengen Information System (SIS) database, which contains the details of suspects, undocumented migrants and others wanted by the police.
Although the UK is not in the travel-free Schengen zone, it was granted access to the SIS since 2015 for security purposes.
It’s claimed that the multiple copies exposed the data to an increased risk of loss or theft, as did the UK government’s sharing the information with contractor IBM, which may have been obliged to hand it over to the US authorities under the terms of the Patriot Act.
The report also claims that as the database is continually updated, the UK’s versions, stored on laptops and PCs at airports and in government offices, are always out-of-date, meaning some individuals could be wrongly identified.
Together, these issues “constitute serious and immediate risks to the integrity and security of SIS data as well as for the data subjects,” the report is said to have stated.
However, King claimed it wasn’t just the UK which had fallen short on data protection best practice.
"It is not just one member state that has some challenges in this area, there are a number of member states that have challenges in this area,” he said.
The revelations come at a crucial juncture as the UK seeks to leave the EU following a change of Prime Minister and accession of a right-wing government. One of the key areas of discussion between negotiators on both sides is security, with the UK looking to maintain access to such databases and other information-sharing agreements.
A British cybersecurity researcher who was arrested in the US for historic hacking offenses has been spared jail time.
Marcus Hutchins, 25, sprang to fame in 2017 when he discovered a “kill switch” which helped to mitigate the impact of the infamous WannaCry worm.
However, a few months later things turned sour after he was arrested by police whilst attending Black Hat/Def Con in Las Vegas.
On bail since that time, Hutchins pleaded guilty back in April to two counts of creating and spreading malware. According to that plea, between July 2012 and September 2016, he helped create and, in partnership with another, sell malware known as UPAS-Kit and Kronos.
This malware was subsequently used in attacks to steal consumer banking log-ins and other details.
Hutchins’ lawyers had argued that he was still technically a child when he committed those felonies, and that he was now using those same skills “for constructive purposes.” They also claimed that some of the evidence against Hutchins should be inadmissible as he wasn’t fully aware of his rights at the time of interview.
Judge JP Stadtmueller appears to have agreed that Hutchins has "turned a corner." The Devon man will now be allowed to return to the UK, and is not liable for any fines. He was facing a 10-year stretch if found guilty but will now be required only to complete a year of supervised release.
The judge has gone even farther, and recommended that his lawyers look into securing a pardon from the US state, as he does not have the power to grant one.
“@marciahofmann and I are thrilled that the judge recognized the important contributions @MalwareTechBlog has made to keeping the world secure and let him go home a free man. It’s been a true honor to represent him,” wrote Brian Klein of Baker Marquart LLP.
“Without precedent and more than appropriately, the judge even suggested @MalwareTechBlog explore a pardon. @marciahofmann and I plan to do so.”
Web traffic during Amazon Prime Day, in which 250 e-commerce merchants participated, reflected a significant uptick in the US, according to Akamai.
The fifth annual event spanned 48 hours this year, resulting in a 14% spike in web traffic. “This increase in participation and strong revenue figures mean that traffic was up as shoppers researched and purchased items. We tabulated and analyzed aggregate statistics from global online retail traffic that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points. For our baseline, we used the month of June 2018 and did not adjust for the fact that 2018 Prime Day was 36 hours vs. 48 hours for Prime Day 2019,” according to a July 25 blog post.
Interestingly, the surge in US traffic resulted in a decline in global traffic, “with the exception of LATAM, where baseline traffic increased nearly three times as much as the US,” according to the research.
Consumers are increasingly using mobile for online shopping, which was reflected in the research as well. “Looking at just Prime Day 1, the year-over-year change shows a healthy increase (12.94%) for mobile, with a decrease for desktop and a very large drop (-21.42%) for tablets,” the report said.
The report warned that retailers need to be aware of these spikes in traffic in order to prepare for future online sales and the holiday season, according to Akamai’s Chris Wraight. “Also, the growing number of shoppers who use their mobile device to research means that it is vital to present images and videos quickly, regardless of device, browser or connection speed,” wrote Wraight.
With a spike in traffic comes the additional threat of cyber-attacks. The report also found that “nearly 10 billion total bot attacks during the 48 hours of Prime Day is equal to the number of retail-specific bot attacks we detected from May to December 2018. Prime Day was very attractive to threat actors due to the high visibility of Prime Day and the larger number of retailers offering their own promotions. Detecting, correctly interpreting and remediating credential stuffing attacks needs to be a top priority of retailers, especially going into the Q4 holiday peak traffic season.”
“This year collaborations between threat actors allowed even more destructive attacks that paralyzed numerous organizations worldwide. What ends with a ransomware attack usually starts with a more silent sequence of bot infections,” the report said.
Though there was an 18% decrease in the number of global organizations impacted by crypto-miners from 2018 to 2019, the report found that there was a sharp increase in supply chain attacks. “Software supply chain attacks attracted public and government attention,” the report said.
“In such attacks threat actors inject malicious code into components of legitimate applications, victimizing a large number of unsuspecting users. The accumulation of several cases since the beginning of the year led the American government to devote special attention to this evolving threat and will soon publish official recommendations on ways to minimize the impact of such attacks.”
In addition, the vast majority (90%) of attacks leveraged older vulnerabilities that were registered in 2017 and earlier, and more than 20% of attacks used vulnerabilities that are at least seven years old, according to the research.
2019 has also seen a surge in sextortion scams and business email compromise (BEC). “This year saw the sextortion scammers doing everything possible to make their victims worried enough to pay up and avoid the publication of the alleged sexual materials. This mainly includes providing the victim’s personal credentials as evidence, which were usually leaked in previous data breaches or purchased in underground forums,” the report said.
Also on the rise are attacks targeting resources and sensitive data in public cloud environments. According to the report, “So far this year, cloud cryptomining campaigns stepped up, upgraded their technique set and were capable of evading basic cloud security products, abusing hundreds of vulnerable exposed Docker hosts and even shutting down competitors’ cryptomining campaigns operating in the cloud.”
A San Mateo, California, grand jury issued a report this week that focuses on San Mateo County’s email and online communication platforms, which are vulnerable to hijacking and propagating disinformation in the guise of election instructions or announcements.
“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public. Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report said.
In San Mateo County, the Assessor–County Clerk–Recorder and Elections (ACRE) uses email, social media and website to collect voter information directly from local election offices. Attackers hijacked the election results webpage in 2010; six years later, the county suffered a breach resulting from a spear-phishing email.
After analysis, the grand jury determined that "the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure,” according to the report.
The report goes on to make specific recommendations that include the use of FIDO physical security keys, which Satya Gupta, CTO of Virsec, said is a bit unsettling. “Two-factor authentication should be the norm for any important business transaction and is used and offered by most online services. Intercepting SMS codes with a [man-in-the-middle] attack is actually quite difficult, and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real probably seems to be county agencies using social media platforms to communicate official business. Stronger authentication may help but will not stop the torrent of false social media information we should expect during this election cycle.”
The fact that two-factor authentication isn’t already being used is very appalling to Pierluigi Stella, CTO of Network Box USA, who pointed out that "in 2019, a grand jury should not be the body that has to propose the adoption of what should be obvious security measures."
“The people running the security policies of the institutions that are in charge of the election process are not forcing the issue and ensuring the adoption of the highest security standards already. We do not need a grand jury to state the obvious. These situations baffle me to no end. Two-factor authentication may not be the ultimate solution, yes, but it surely goes a long way towards making hackers' lives miserable, hence enhancing and augmenting the element of data safety,” Stella said.
The governor of Louisiana has declared a state of emergency after ransomware attacks knocked out IT systems in three school districts.
The outages occurred in Sabine, Morehouse, and Ouachita parishes in North Louisiana, with the declaration made to ensure that cybersecurity experts from the state’s National Guard, State Police, Office of Technology Services and others are on hand to help local governments respond.
"The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since," said John Bel Edwards in a statement.
“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.”
It’s not the first time such a declaration has been made, something similar happened in Colorado in 2018 after a SamSam attack crippled local services. However, the latest incident highlights the continued threat posed by ransomware.
In South Africa, some Johannesburg residents have suffered power outages after local provider City Power was hit by ransomware on Thursday morning, local time. Customers are unable to access the firm’s website for information and suppliers are unable to log invoices, it said in a series of tweets over the past few hours.
“City Power will continue to work throughout the night to recover the systems and restore remaining applications. We are hoping that if everything goes according to plan, everything should be restored by Friday,” it said.
Ilia Kolochenko, founder of security firm ImmuniWeb, argued that this is just the beginning.
“Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber-gangs. These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive. Cryptocurrencies make such crimes technically impossible to investigate in most cases, letting the wrongdoers enjoy impunity,” he added.
“Law enforcement agencies are already overburdened with an increasingly growing pipeline of sophisticated investigations, often aggravated by continuous lack of financing and unfriendly colleagues from foreign jurisdictions. Unless governments develop, finance and duly enforce security regulations purported to safeguard cities and municipalities, we will soon dive into a darkness, facing grave accidents involving airports and other objects of critical infrastructure.”
Voting infrastructure in all 50 US states was probably infiltrated by Russian intelligence over the past few years, according to a new Senate Intelligence Committee report.
Although there’s no evidence that any votes were changed or any voting machines were manipulated, the heavily redacted report does reveal that hacking activity began as far back as 2014 and continued into “at least 2017.”
Investigators from the FBI and Department of Homeland Security (DHS) analyzed the activity of suspect IP addresses discovered in 2016 and came to the conclusion that Russian activity was far more widespread than the 21 states previously assumed to have been targeted.
“DHS assessed that the searches, done alphabetically, probably included all 50 states, and consisted of research on general election-related web pages, voter ID information, election system software, and election service companies,” the report claimed.
“State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.”
Although there were opportunities to interfere with voting, the hackers - which displayed TTPs associated with state-sponsored Russians - appear to have chosen not to in 2016. However, this could change next time around, the report warned.
"If Russia's preferred candidate does not prevail in the 2020 election, the Russians may seek to delegitimize the election,” it argued. “The absence of any successful cyber intrusions, exfiltrations or manipulations would greatly benefit the US public in resisting such a campaign.”
Piers Wilson, head of product management at Huntsman Security, warned that hackers have a good chance of being successful in future elections, and governments must focus on improving their response.
“The operation of voter registration systems; the design, build and operation of electronic voting systems; the management of polling booths – all depend on technology and hence knowing how well defended these disparate systems are is no different,” he said.
“There will always be actors looking to disrupt the democratic process so governments must be able to react swiftly to any attacks, and have the right contingency plans in place to keep the faith of the electorate.”
Researchers have found over 23 million stolen credit and debit cards up for sale on the dark web, with US consumers by far the biggest hit.
Nearly two out of every three stolen cards on the sites trawled by Sixgill were issued in the US, amounting to more than 15 million. The next biggest hit country was the UK, which accounted for over 7%.
Tellingly, just 316 stolen cards out of the total 23 million were Russian issued. This isn’t just because many hackers are of Russian origin, but also because of the relatively low GDP of the country, making its citizens less attractive targets, the report claimed.
Although the figures are small in comparison to the five billion cards issued globally by Visa, Mastercard and American Express, fraud on these is estimated to cost US businesses and consumers around $12bn by 2020, according to separate predictions from The Nilson Report.
Threat actors are increasingly moving away from traditional dark web marketplaces to Instant Relay Chat (IRC) channels and encrypted Telegram chats, making it harder for researchers to monitor them, according to Sixgill.
“Fraudsters have a number of illicit methods they use to steal card data. They place ‘skimmers’ over the card readers on gas pumps and ATM machines. Retail workers and restaurant employees use devices to copy the swipes when they take a card for payment,” the firm continued in a blog post.
“They infect computers and other devices with malware to record payment information when their owners buy from e-commerce sites. Hackers infiltrate the networks of large companies and simply steal millions of records at a time.”
Credit card information sells for as little as $5 and comes in two main types: one including all the card details plus CVV for fraudsters to use easily online, and dumps containing magstripe data which enable cyber-criminals to create counterfeit cards.
The former is more popular as it’s easier to commit fraud online, said Sixgill. Dumps of magstripe data will likely get less popular as more retailers and consumers adopt EMV in the US.
Email remains the vector of choice for cyber threat actors with the majority of organizations citing phishing as their top perceived threat, according to a new survey from Dimensional Research and Barracuda Networks.
With the rise of more complex, advanced threats, such as account hijacking and spear-phishing, the majority of organizations have faced attacks in just the last year, according to a survey of more than 600 IT professionals responsible for corporate email security.
“On average, more than four-fifths (82%) of organizations claim to have faced an attempted email-based security threat in the past year, although the figures differ slightly by global region,” the report said.
The survey results revealed that despite growing confidence in security measures and awareness, concerns over phishing continue to rise, particularly given the reality that attack methods continue to evolve and target victims with social engineering. Nearly all (93%) of respondents said they are worried about business email compromise (BEC). With the prevalence of BEC and account takeover attacks, 79% of organizations are concerned about potential insider threats and other account hijacking attacks.
Oddly, 63% of organizations also reported that they feel more secure than ever. The report noted that organizations should treat this feeling of confidence with caution. “If an organization lacks the tools to accurately detect threats, it may have a false sense of security. APAC companies are the most likely to feel their security has improved, while EMEA companies are the least likely,” the report said.
When asked about the impact of email threats, 48% of participants said they had a loss of employee productivity and 36% said they experienced downtime and business disruption. When asked about breaches, 78% of participants confessed that that breach costs are also increasing, both monetary- and productivity-wise.
The survey also found a pitfall in terms of security spend. “Organizations are clearly under-investing in tools designed to protect email beyond the traditional security gateway. Just a quarter or fewer had automated incident response, dedicated spear-phishing protection or tools to prevent account takeover.”
Police officers from the UK and the Netherlands announced a new campaign that would allow first-time cybercrime offenders to learn from their mistakes through a program called Hack_Right, according to Cyberscoop.
At the International Conference on Cybersecurity at Fordham University, the joint forces discussed the program that is intended to help young offenders who may not understand the severity of their crimes. Geared toward hackers between the ages of 12 and 23 years old, Hack_Right would allow youngsters to avoid the legal consequences of their crimes by participating in a program focused instead on educating teens.
“We do this…to get out and find them and get them into computing clubs before we have to investigate someone and lock them up,” Gregory Francis, acting national prevent lead at the National Cyber Crime Unit of the National Crime Agency, reportedly said. “[Cybercrime] is not a law enforcement problem. It’s a societal problem.”
The program includes a community service project that requires 10 to 20 hours of ethical computer training and engaging in conversations with professionals who can discuss possible career paths and education opportunities based on their interests.
“We should welcome any opportunity to show ‘at risk’ hackers ways in which they can use their skills for good, such as helping secure the internet,” said Ben Sadeghipour, head of hacker operations at HackerOne.
“I think the best way to educate the younger generation to do the right thing is to show them the benefits of being a white hat, since now you can get the same fame, notoriety and money as black hats used to, without the risk of going to prison. Encouraging young hackers to use their skills for good is what we’re about at HackerOne. We have hundreds of thousands of hackers on our platform, and nearly 54% of them are under the age of 24. We believe that bug bounty programs provide an environment in which young hackers can safely hone their skills while earning real money from it.”
A cyberattack campaign using malicious RTF documents has been targeting government IT agencies in Eastern Asia, according to research published today by Proofpoint.
Dubbed Operation LagTime IT, the malicious documents delivers custom Cotx RAT malware to tech agencies responsible for overseeing government network infrastructures. Proofpoint has attributed the campaign to the Chinese threat group known as TA428. Researchers believe the likely motivation is conducting espionage on capabilities like 5G and establishing a beachhead for future attacks.
“Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT,” researchers wrote in today’s blog post.
According to the research, the malicious RTFs were first delivered via Yahoo accounts and came from senders whose names closely mirrored those within the targeted entities. The email subjects were crafted with convincing IT-related themes relevant to government or public training in Asia.
“On one specific occasion an email utilized the subject 'ITU Asia-Pacific Online CoE Training Course on "Conformity & Interoperability in 5G" for the Asia-Pacific Region, 15-26 April 2019' and the attachment name '190315_annex 1 online_course_agenda_coei_c&i.doc.' The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries,” researchers wrote.
"Op LagTime IT is a continuation of a long-running Chinese espionage campaign which is intended to satisfy intel requirements on its regional neighbors,” said Kevin Epstein, vice president, threat operations, at Proofpoint. “The targeting of government IT agencies is both expected and significant as China continues to expand the global footprint of its communications technologies."
AT&T will be forced to defend itself in court after a judge refused to throw out a $224m lawsuit alleging the firm is liable for handing over the defendant’s SIM card to hackers.
The telco giant is in the dock after entrepreneur Michael Terpin was hit by a classic SIM swap attack, in which hackers persuaded an AT&T agent in a Connecticut store to transfer his mobile phone number to a new SIM.
They were then able to intercept one-time passcodes sent via text to unlock Terpin’s cryptocurrency accounts and drain it of funds worth an estimated $24m.
In August last year, Terpin’s lawyers filed 16 counts of fraud, including gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, and failure to supervise its employees and investigate their criminal background.
More broadly, Terpin is arguing that AT&Ts contract is too one-sided.
“Mr Terpin’s claim seeks to declare AT&T’s wireless customer agreement as unconscionable, void against public policy, and unenforceable in its entirety,” presiding judge Otis Wright said. “Specifically, he objects to the exculpatory provision that exempts AT&T from liability from its own negligence, acts or omissions of a third party, or damages or injury caused by the use of the device.”
Wright ruled that Terpin’s lawyers had “sufficiently alleged” that AT&T may have violated the Federal Communications Act by allowing unauthorized access to their client’s accounts – meaning the $224m lawsuit will proceed.
“Judge Wright strongly repudiated AT&T’s audacious bid to prevent Michael from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” noted Terpin’s lead counsel Pierce O’Donnell. “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”
The case will be watched eagerly by other telco providers as SIM swapping becomes increasingly commonplace.
It’s believed that Terpin’s nemesis on this occasion was a gang led by New Yorker Nicolas Truglia, the arrested “Bitcoin bandit” who used phishing techniques and fake ID documents bought on the dark web to con telco support operatives into porting customer phone numbers.
Paul Dunphy, research scientist at OneSpan’s Innovation Centre, said the attacks also raise serious questions about the use of SMS in multi-factor authentication (MFA).
“The result of this court case will have big implications for designers of multi-factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future,” he added. “I’d advise that for high value accounts individuals should avoid using SMS for multi-factor authentication, especially for cryptocurrency.”
A group of anonymous researchers have outed the APT17 cyber-attack group (aka DeputyDog) as a Chinese Ministry of State Security (MSS) operation, potentially paving the way for more US indictments.
Intrusion Truth have been right before, when they identified APT3 and APT10 as MSS groups: the former operated by a contractor known as Boyusec. These revelations led to Department of Justice indictments against some of the groups’ members in 2017 and 2018.
Now Intrusion Truth has identified a likely MSS officer, Guo Lin, who studied information security to Masters level and is affiliated with four private technology companies in the eastern city of Jinan.
The group also identified two hackers from Jinan – Wang Qingwei, who works at one of those four tech firms, and Zeng Xiaoyong (aka “envymask”).
Zeng is said to have submitted code used in a popular Chinese APT hacking tool known as ZoxRPC, which was subsequently developed into a newer tool, ZoxPNG (aka BLACKCOFFEE) by another Jinan hacker, Zhang Peng. ZoxPNG became a key part of multiple APT17 hacking campaigns, the blog post continued.
“Either, one of the authors of code in APT17’s primary malware just happens to be associated with a series of cybersecurity outfits that claim the MSS as their clients and are coincidentally managed by an MSS officer,” concluded Intrusion Truth. “Or, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.”
China’s MSS is a sprawling, powerful intelligence agency that can be thought of as a combination of the FBI and CIA. That is, it deals with domestic affairs and foreign intelligence operations.
It is believed that hacking operations have increasingly been shifted from the PLA to this agency over the past few years, as attacks become more sophisticated.
Washington is increasingly prepared to name and shame officers in indictments, although there’s little chance of them ever facing justice. This happened with charges issued in October last year related to a conspiracy to steal aviation secrets.
In a rare moment, US officials managed to arrest an alleged MSS officer in that same month, in connection with another plot to steal aviation secrets.
Facebook has set out plans for a radical overhaul of its internal processes to foreground user privacy, in the wake of its record FTC fine.
The social network was slapped with a $5bn penalty by the US regulator following mistakes it made which led to personal data on 50 million users and their friends being used by shadowy political consultancy Cambridge Analytica without their knowledge.
It has been argued that the data was used to try and influence the outcome of the Brexit referendum and the 2016 US Presidential election.
In a blog post on Wednesday, general counsel Colin Stretch outlined the steps Facebook is taking to build a security and privacy-by-design culture “on a different scale than anything we’ve done in the past” – with transparency and accountability front-and-center.
“It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements,” he said. “Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.”
Privacy protections will be built into every product, with any risk documented and resolved, and more monitoring and reporting obligations placed on the firm. There will be detailed quarterly reports to verify compliance signed by Mark Zuckerberg and with executive accountability throughout.
An independent privacy assessor will report to a new board committee each quarter and the FTC, to ensure the firm is living up to its commitments.
“We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work, and we expect it will take longer to build new products following this process going forward,” said Zuckerberg in a statement.
“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”
Although the measures go beyond US law, they chime very much with the expectations of GDPR regulators – highlighting again that the EU law is leading the way globally in terms of privacy legislation.
In fact, it’s likely to work in Facebook’s favor in the long-run if it can effectively roll-out a single privacy regime across its entire global operations.
The latest edition of nonprofit VideoLAN’s VLC media player software has what Germany agency CERT-Bund is calling a serious security flaw that allows hackers to install and run software without user knowledge, according to NewsX.
“This is just one in a long and constant stream of flaws in VLC. I absolutely would not recommend that anyone access untrusted content with VLC due to the high risk of memory corruption vulnerabilities. In general, VLC does not have a good reputation in the security industry as they regularly will leave vulnerable pre-compiled executables for download despite having patched them in the latest source code," said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). “Video players are a frequent target for file format exploits due to the inherent complexity of parsing multimedia files.”
If exploited, an attacker could gain remote access and potentially disclose information, manipulate files or create a denial-of-service state. According to NIST’s National Vulnerability Database, the vulnerability CVE-2019-13615 in the media player “has a heap-based buffer over-read.”
This isn’t the only VLC issue disclosed this month, according to Larry Trowell, principal consultant at Synopsys. “There have been four recent vulnerabilities disclosed that are loosely related to the same area of code. While the issue is serious, using the CVSS 3.0 standard to rate the severity of a vulnerability can be a bit misleading as issues tend to rank higher than in version 2. Using the CVSS 2.0 scale, this vulnerability ranks as a 7.5,” Trowell said.
Because the user has to voluntarily interact with the attack mechanism, Trowell said the attacker can’t initiate. “It’s easy to make a corrupted stream, but the trick is getting a user to play it. Also, this attack doesn’t give an attacker any extra privileges.
“There are not a lot of people who are playing random videos they get off the internet as the root/admin user on their computers. This attack can only be triggered with user interaction: the user has to either download a malicious file or open a stream that is streaming said files,” Trowell said.
As a result, a malicious actor would be dependent on the user searching out and opening a corrupted file. Trowell noted that this could be accomplished with a phishing campaign, but “it seems like in most cases the video sent would be opened with the internet browser or the email client, not VLC.
“Video parsing is hard to do correctly. There is a reason that a number of issues have been found and a reason why a correct patch will take time to implement and test. I do not know when the finding was announced to VLC or if any time was given to fix the issue before it’s announcement, and that should be taken into account when criticizing the company for not having a fix ready,” Trowell added.
After analyzing proprietary research and data derived from the volume of malicious activity on the internet, the report found that cyber-criminals cost the global economy $2.9 million every minute last year, for a total of $1.5 trillion.
Major companies are paying $25 per internet minute because of security breaches, while hacks on cryptocurrency exchanges cost $1,930. Criminals are leveraging multiple tactics, from malvertising to phishing and supply chain attacks. The loss from phishing attacks alone is $17,700 per minute. Global ransomware events in 2019 are projected to total $22,184 by the minute.
"As the scale of the internet continues to proliferate, so does the threat landscape," said Lou Manousos, CEO of RiskIQ, in today’s press release. "By compiling the vast numbers associated with cybercrime in the past year, we made the research more accessible by framing it in the context of an 'internet minute.' We are entering our third year defining the sheer scale of attacks that take place across the internet using the latest third-party research and our own global threat intelligence so that businesses can better understand what they're up against on the open web."
Cyber-criminals have also increased their targets on e-commerce with Magecart hacks, which grew by 20% over the last year. The study found 0.21 Magecart attacks were detected every minute. The data also revealed that in each internet minute 8,100 identifier records are compromised, seven malicious redirectors occur and 0.32 apps are blacklisted. In addition, the research found 2.4 phish traversing the internet per minute.
“Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies,” Manousos said. “With the recent explosion of web and browser-based threats, organizations should look to what can happen in a matter of minutes and evaluate their current security strategy. Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet."
Though antivirus software is used to protect PCs and other devices from unknown malware and threats, Comodo – which has over 85 million desktop software installations across more than 700,000 business customers – is riddled with vulnerabilities that would ultimately grant an attacker complete control over the machine. Researchers discovered a sandbox escape and a privilege escalation to SYSTEM, according to today’s blog post. An attacker could even disable the antivirus altogether, leaving the device unprotected and vulnerable, researchers explained.
“Comodo uses many IPC mechanisms between its various AV components: Filter Ports, Shared Memory, LPC, and COM,” wrote Tenable’s David Wells.
“We happen to know Comodo has the capability to invoke scan jobs from low-privilege processes such as explorer.exe (via it’s Context Shell Handler – (the menu that appears when user right clicks)) or Cis.exe (Comodo client GUI). These scan jobs are executed by invoking routines in CAVWP.exe which runs as SYSTEM.”
In total, researchers discovered five different vulnerabilities, which are demonstrated in a proof-of-concept video that illustrates the risks.
Researchers wrote that they had disclosed the vulnerabilities to Comodo on April 17. The company confirmed some of the vulnerabilities on May 7, adding that it is awaiting confirmation of others. According to the disclosure, Tenable followed up to request a status update several times before Comodo reported on June 7 that the “LPE vulnerability is partially due to Microsoft's fault.”
On July 8, Tenable asked for a status update on when fixes would be released. As of the July 22 disclosure, researchers had not been made aware of a patch to address these vulnerabilities. In an email to Infosecurity, a Comodo spokesperson wrote, "There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."
Sky customers have been advised to reset their passwords as a security measure.
In an email sent to a number of its customers, the company wrote: “At Sky we take the security of your data and information extremely seriously. To help keep your account safe we have reset the password for your Sky account.”
Sky confirmed on Twitter that the message is genuine and prompted receivers to follow the link to reset their password, although the reason behind the reset remains unclear.
“The latest news regarding password resets occurring for email accounts with sky.com, as so-called ‘precautionary measures’ that have been taken, indicates that the incident is ongoing and possibly the root cause is still unknown,” said Joseph Carson, chief security scientist & advisory CISO at Thycotic.
“If indeed this was a credential stuffing cyber-attack, then there would be an indicator of a high number of failed log-in attempts, hopefully resulting from some users following best practices by not using the same password across multiple accounts. This is what credential stuffing is trying to abuse using an automated process.”
Sky needs to be following incident response best practices and treating this incident as serious because, in many cyber-incidents, you tend to uncover more serious data breaches when you start looking harder, Carson added. “Sky customers should really start using password managers and two-factor authentications to ensure that a password is not the only security protecting sensitive data.”