Info Security

Subscribe to Info Security  feed
Updated: 1 hour 28 min ago

Zendesk Breach Hits 10,000 Corporate Accounts

Thu, 10/03/2019 - 09:45
Zendesk Breach Hits 10,000 Corporate Accounts

Customer support software giant Zendesk has discovered a security breach dating back to 2016, affecting thousands of corporate clients.

After being alerted to the incident by a third party, the firm last week identified 10,000 Zendesk Support and Chat accounts which had been accessed by an unauthorized third party.

Although this number contained some trial accounts and others that are no longer active, Zendesk has a number of high-profile clients including Airbnb, Uber and OpenTable that could be affected.

There’s apparently no evidence that ticket data was accessed. However, email addresses, names and phone numbers of agents and end users of certain Zendesk products up to November 2016 were accessed, as well as hashed and salted agent and end user passwords. In this context, “agents” are the customer support staff from client organizations who use the software, while “end users” are their customers.

The firm said there’s no evidence these passwords were used to access Zendesk services.

In addition, for around 700 accounts, the TLS encryption keys and the configuration settings of apps installed from the Zendesk app marketplace or private apps were accessed.

“As a precautionary measure, in the next 24 hours, we are starting to implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016,” Zendesk explained.

“This password rotation will impact all other products which share authentication with Support, including Guide, Talk and Explore. Upon their next login, each of these users will be required to create a new password. You will not be impacted by this if we have been able to identify that you have updated your password since November 1, 2016 or have implemented Single Sign-On in connection with your account.”

The firm urged customers with accounts dating back prior to November 1 2016 to: rotate all credentials for any Zendesk Marketplace or private apps, upload new TLS certificates and revoke the old ones and rotate authentication credentials used in Zendesk products before the November date.

Categories: Cyber Risk News

Over 20 Million Russian Tax Records Exposed in Privacy Snafu

Thu, 10/03/2019 - 08:55
Over 20 Million Russian Tax Records Exposed in Privacy Snafu

Over 20 million Russian tax records were found publicly exposed in a misconfigured Elasticsearch database last month, in yet another privacy snafu.

Security researcher Bob Diachenko teamed up again with Comparitech to discover the unsecured server, which contained personally identifiable information (PII) on Russian citizens dating from 2009-2016.

Lacking password protection or any other authentication mechanism, the Amazon Web Services Elasticsearch cluster was first indexed by search engines in May 2018. Diachenko discovered it on September 17 and notified the Ukraine-based owner.

Although the researchers are still unclear what entity managed the database, it was made inaccessible three days after Diachenko raised the red flag.

The unencrypted PII included names, addresses, residency status, passport and phone numbers, tax ID numbers, and employer names and phone numbers. It sat exposed for over a year.

“The cluster contained multiple databases. Some seemed to contain mostly random and publicly sourced data. Two databases, however, included tax and personally identifiable information about Russian citizens. Most of those citizens appear to be from Moscow and the surrounding area,” explained Comparitech’s Paul Bischoff.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over six million from 2009 to 2015.”

The data is highly sensitive and could be used to craft convincing follow-on phishing and identity fraud schemes.

Organizations across the globe are failing to protect their Elasticsearch databases. This year alone, researchers have used simple online search tools to find: 8TB of email metadata belonging to a leading Chinese university, 24 million financial records from multiple banks, a copy of the Dow Jones Watchlist containing 2.4 million records and PII on 82 million Americans exposed by a mystery company.

AWS S3 buckets and MongoDB instances are also commonly misconfigured, exposing countless organizations and their customers to the threat of data theft.

Categories: Cyber Risk News

#VB2019: Telcos Faced Sustained Exfiltration Attack Efforts

Thu, 10/03/2019 - 08:20
#VB2019: Telcos Faced Sustained Exfiltration Attack Efforts

Speaking at the Virus Bulletin 2019 conference in London, Cybereason researchers Amit Serper, Mor Levi and Assaf Dahan discussed the “worldwide campaign against telecommunication providers” that they coined Operation Soft Cell.

Described by Serper as an access operation which was a “multi-wave attack,” he said that the operation targeted call detail records (CDRs) which contain details of call information, where calls are made and the originating number and IMEI number.

“With this you can build a complete picture of a person and where they are located through the day,” he said. “You get a lot of information without getting on the phone as metadata is siphoned off.”

Levy said an investigation usually started with small pieces being tied together, and the researchers were able to learn more about the attacker. Levy said that the investigation started in 2018, and nothing was unusual at first, but second, third and fourth waves of attack were spotted, which led them to conclude that this was the same actor “as behavior and techniques were almost the same, and they were adaptive and changing indicators to bypass detection.” It was later revealed by the researchers that the compromise had sometimes gone on for up to seven years.

During the third phase, the researchers realized the attacker was not after bill data or domain administrator details.

Dahan said that the attacker was able to get in, do external reconnaissance, and use third party tools for exfiltration and to move laterally and obtain credentials.

“We understood that the attack was on exfiltration, as they compressed and password protected it,” Dahan said. Serper pointed out that remote access Trojans like Poison Ivy were used. 

Levy added that it was “hard to connect the dots but we knew the bigger picture,” and the purpose of the threat intelligence research was to get the big picture. The companies were informed, and it initially expanded from Cybereason’s customer to dozens of other telcos.

The research also revealed that a lot of the attacks took place in GMT+8, the Chinese time zone, where a two-hour lunch break was also taken. Serper concluded by saying that upon telling those affected, he got very negative responses as “cyber insurance doesn’t cover nation state attacks as it is an act of war.”

Categories: Cyber Risk News

Hackers Are Impersonating Each Other to Hide Their Real Agendas

Wed, 10/02/2019 - 18:56
Hackers Are Impersonating Each Other to Hide Their Real Agendas

Threat actors have been using cyber-disguises to keep their true intentions secret, according to a report published today by Optiv Security.

Typical cyber threat intelligence usually categorizes threat actors in fixed classes, such as nation-states, cyber-criminals, commercial entities, and hacktivists. But, according to Optiv’s new 2019 Cyber Threat Intelligence Estimate (CTIE) report, "it’s a mistake to assume these categories are rigid or to assume that a threat actor’s classification is static."

The CTIE report is inspired by national intelligence estimates, which are analytic reports produced by the intelligence community of the United States for consumption by Congress. The CTIE comprises contributions from Optiv’s Global Threat Intelligence Center (gTIC), cyber threat intelligence company IntSights, and Carbon Black, a leader in cloud endpoint protection.

Optiv researchers found that it's not unusual for threat actors to have multiple criminal identities that they can switch between to get what they want without revealing who they are or what their actual agenda is.

For example, nation-state actors may pretend to be just a regular cyber-criminal targeting a company’s customer database, when in reality their target is to delve into the firm's deepest recesses to steal its intellectual property. 

According to the report: "Sometimes threat actors may masquerade as a certain type in order to hide their true agenda. Or, threat actors may belong to two or more classes, switching between them as their priorities change."

Threat actors who demonstrate this switching behavior to cloak the true nature of their dastardly deeds are described by Optiv's researchers as "hybrid threat actors." According to the report, their primary targets are governments, manufacturing, energy, and utilities. 

According to Optiv CISO Brian Wrozek, spotting when an impersonation is taking place is "quite difficult." He told Infosecurity Magazine: "Imagine robbing a bank, but the bank robber is able to present themselves as a police officer. It would be extremely difficult to identify that person. Security professionals look for patterns, which can create opportunities for bad actors to abuse those patterns to obscure their true identities."

Asked which class of threat actor is the easiest to impersonate, Wrozek said: "It’s difficult to say which is easiest, but one of the most common places we see this is in regard to nation-states. With so much politically driven activity regarding cybersecurity happening across the globe, it can be easy for nation-states to play the blame game with one another, making attribution difficult. Also, no one likes to admit they got hacked by some random individual. Saying a rich, powerful nation-state was behind an attack is much less embarrassing, so there’s that aspect to consider as well."

Other findings of the report are that crypto-jacking and ransomware attacks are increasing in popularity, and that retail, healthcare, government, and financial institutions continue to be among the most targeted verticals of cybersecurity attacks or attempts among the 10 categories of Optiv clients.

"Cyberspace has become more hostile. Hackers are more organized and sophisticated in 2019, and we’re seeing malicious attackers increase their counter measures to avoid detection,” said Tom Kellermann, chief cybersecurity officer at Carbon Black. 

"According to our research, no vertical is immune, but the financial industry continues to stand out as a key target for advanced attacks. We hope cybersecurity leaders and teams will use this data as a clarion call to improve their cybersecurity postures."

Categories: Cyber Risk News

10 Hospitals Held to Ransom by Cyber-Criminals

Wed, 10/02/2019 - 18:08
10 Hospitals Held to Ransom by Cyber-Criminals

Ten hospitals in Australia and the United States have been hit by ransomware attacks since Monday. 

In America, computers at three Alabama hospitals operated by DCH Health System were affected, causing staff to close their doors to any new patients who weren't critically ill. 

In a statement posted on their website earlier today, DCH wrote: "Early Oct 1, the DCH Heath System discovered that it had suffered a ransomware attack that impacted their systems. We immediately implemented emergency procedures to continue providing safe and patient-centered care."

The hospitals affected by the attack are DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center and Northport Medical Center. While access to computer systems remains limited, local ambulances are taking patients to other healthcare providers located nearby. 

Surgeries scheduled for tomorrow will go ahead however outpatients with appointments at any of the three hospitals affected by the ransomware attack are advising to call to confirm before attending. 

Services at seven hospitals and healthcare facilities in Australia have likewise been boggled by ransomware in a separate cyber-attack which struck in Gippsland and south-west Victoria on Monday. 

The impacted hospitals are part of the South West Alliance of Rural Health and also of Gippsland Health Alliance. Multiple computer systems have been disconnected to while the Victorian Cyber Incident Response Service works to resolve the situation. 

Barwon Health, which operates hospitals affected by the attack, said that some elective surgeries and appointments had been cancelled. 

The Victorian government's Department of Premier and Cabinet said: "A number of servers across the state have been impacted. Investigations are still taking place on the full extent of the impact. 

"At this time, there is no suggestion that personal patient information has been accessed."

Commenting on the ransomware attacks, senior director of managed threat response at Sophos, J.J. Thompson, said: "Ransomware is foreseeable and preventable. Organizations need to have effective, advanced protection in place at every state of an attack. The techniques, tactics and procedures that occur prior to a ransomware incident can and should be detected by existing security capabilities and are foundational pillars to the patient care model in healthcare 4.0.

"It’s also important to have off-site backups to reduce the pressure to comply with expensive ransom demands and to be able to recover faster."

Categories: Cyber Risk News

America Launches New Cybersecurity Directorate

Wed, 10/02/2019 - 17:23
America Launches New Cybersecurity Directorate

America's National Security Agency has launched a new organization to beef up the country's defenses against cyber-attackers. 

The Cybersecurity Directorate has been created to unify the efforts of the NSA's existing foreign intelligence and cyber-defense missions. The new organization will bring the Agency's threat detection, future-technologies, and cyber-defense personnel together under one roof for the very first time.

Underpinning the creation of the directorate is the idea that forming partnerships to allow intelligence and technical expertise to be pooled and operationalized represents America's best chance of thwarting cyber-adversaries. 

A spokesperson for the NSA said: "Many organizations work tirelessly to protect against today’s threats and tomorrow's risks, but the adversaries are tenacious, and they only need to be successful once.

"The Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity.

"The new directorate will also better position NSA to operationalize its threat intelligence, vulnerability assessments, and cyber-defense expertise by integrating these efforts to deliver prioritized outcomes." 

One of the NSA's partners is the Department of Homeland Security, with whom the Agency has been working to identify and monitor the systems in the financial sector that make the easiest hacking targets.

By launching the new directorate, the NSA hopes to strengthen the cyber-shield protecting the country's national security systems and critical infrastructure from threat actors. 

Topping the freshly launched organization's list of priorities are defending America's industrial base and innovating ways to improve the security of the nation's extensive arsenal of weapons. 

Helping to safeguard the private sector is also something that the new directorate will focus on. Efforts will be made to declassify threat intelligence received by the new organization as speedily as possible so that it can be shared with US businesses. 

NSA director General Paul Nakasone said: "What I’m trying to get to in a space like cyberspace is speed, agility, and unity of effort."

Leading the new Cybersecurity Directorate is director of cybersecurity Anne Neuberger, who reports directly to General Nakasone. Her previous positions include NSA’s first chief risk officer, deputy director of operations, and lead of NSA’s Russia Small Group. 

Categories: Cyber Risk News

#VB2019: Magecart Attack Groups Move to More Targeted Efforts

Wed, 10/02/2019 - 13:30
#VB2019: Magecart Attack Groups Move to More Targeted Efforts

Speaking at the Virus Bulletin 2019 conference in London, Yonathan Klijnsman, head of threat research at RiskIQ, said that many groups had been identified as being behind recent Magecart attacks, but new movements were being made towards more targeted attacks.

Klijnsman explained that traditional Magecart attacks groups would get into a company’s network, and they would typically target e-commerce organizations, with only “25 lines of javascript.” He said that the web skimmers worked on the server side, and in 2016 RiskIQ observed more groups starting to do this, “and there are 15 active groups that we tracked.”

Pointing to Group 6 that IBM’s X-Force published a report on, Klijnsman said that “once they are in your network they will know more than you do, they are the admins you want to hire.” The group later hit both NewEgg and British Airways, having access to the former for six months, but crucially not being present during Black Friday, as they had been detected and removed by then.

Another called Group 5 are “experts in support,” and Klijnsman said that they know of at least 20 suppliers that have been hit by this group. “They hit one supplier who had over 100,000 victim websites” and while it delivers malicious code, it will not have access to payment data.

A group that RiskIQ plans to reveal more details on in the coming months is Group 15, who Klijnsman said are “very specialized” as they have built a framework for skimming, and are able to remove a payment form and put their own in it's place.

This, he said, was part of the evolution of the groups, as they are doing more targeting and learning more about content management systems. In the case of the attack on Ticketmaster, this was enabled by a compromise of Sociaplus between December 2017 to June 2018.

This was part of one of the three main compromise capabilities: via outdated or misconfigured systems, via password reuse as groups are looking at breached user lists and supply chain attack.

“The latter is not something people are talking about and while you want analytics and CDNs and services, they make you vulnerable and make your customers and visitors vulnerable to attack.”

Categories: Cyber Risk News

#VB2019: NCSC Reflects on Three Years of Countering and Attribution

Wed, 10/02/2019 - 12:55
#VB2019: NCSC Reflects on Three Years of Countering and Attribution

As it prepares to mark its third anniversary of opening, the National Cyber Security Centre (NCSC) has said that defending the UK is a team effort and encouraged more businesses to work with it.

Speaking at the Virus Bulletin 2019 conference in London, director of operations at the NCSC Paul Chichester, reflected on the work done to create the NCSC, and how UK businesses needed to work alongside it.

Chichester explained that the momentum for a response center had begun when, in the 2000s, the attackers targeting the UK were looked at closer, and today “there are 20 nation state threats that we track” and while it does not track all threats and compete with commercial companies, it can “understand additional insights.” 

He said that with 20 years of capability and insight to understand threats to the UK, the government funding in 2010 led to the development of the NCSC, which solved the problem of the “obvious flaws in the approach that the UK took,” in particular that there was no single point or place to go to report issues. 

Admitting that the work of the NCSC will not stop the UK being an interest for attackers, Chichester pointed out that it is able to counter threats. “Our work in the past has been on observing threats, and our view is that it is not about counting but countering the threat,” he added. 

He also said that as the NCSC is responsible for attribution, the UK government understands the context of threats and can assess threat as it pertains to the UK. “Also, we don’t respond with a red button, but by helping people, reporting to the victim and doing victim notification,” he continued, that the NCSC does “a huge amount of work in the UK and works with organizations to help them recover. Attribution is an art, not a science,” he said.

He concluded his talk by saying that the NCSC wants to collaborate more, and work with people in the industry “and for us it is a team sport and please talk to us - we care about the things you care about.”

Later speaking to Infosecurity, Chichester said that the efforts undertaken by the NCSC include doing formal attribution, and protecting the anonymity of the organizations it protects. As part of this, it feeds tactical intelligence via its CISP and partner channels, and he said that companies are often not judged by the compromise, “but how they deal with it.”

Asked if businesses are coming to the NCSC to collaborate, Chichester said they are “massively” and this is fundamental for the business. “We want people to come to us to get insight into threats at a macro level, and we want to work with organizations to help us understand what they are seeing and doing [regarding] incident response.”

Categories: Cyber Risk News

Two-Thirds of Firms Have Suffered ERP Data Breaches

Wed, 10/02/2019 - 11:00
Two-Thirds of Firms Have Suffered ERP Data Breaches

Nearly two-thirds of businesses which rely on SAP or Oracle have suffered a breach of their ERP systems in the past two years, according to new research from Onapsis.

The security vendor commissioned IDC to poll 430 IT decision makers knowledgeable about their organization's ERP applications.

Of the 64% that have suffered a breach of SAP or Oracle E-Business Suite (EBS), sales data (50%) was most commonly compromised, followed by HR data (45%), personal customer information (41%), intellectual property (36%) and financial data (34%).

The range of sensitive information listed above highlights the crucial role security teams have in protecting ERP applications, especially considering that, on average, three-quarters (74%) of these ERP applications were internet connected.

“ERP applications can be foundational for businesses. A breach of such critical ERP applications can lead to unexpected downtime, increased compliance risk, diminished brand confidence and project delays,” said Frank Dickson, program vice-president, cybersecurity products with IDC.

“Cyber-miscreants seem to be indiscriminate when it comes to ERP systems, having an appetite for all types of data, which, if in the wrong hands, could be detrimental to the business in terms of revenue and reputation.”

The high volume of breaches is also somewhat at odds with another finding: that 78% of respondents audit their ERP apps every 90 days or more.

Larry Harrington, former chairman of the Global Board of the Institute of Internal Auditors (IIA), said the findings should raise questions at a board level about the quality of such audits.

“The lack of these controls is one way for cyber insurance companies to deny claims,” he warned “The information compromised most often according to this research is the highest regulated in today’s business ecosystem. Most concerning is the popularity of sales, financial data and PII, all of which should raise flags about the possibility of insider trading, collusion and fraud.”

Categories: Cyber Risk News

WEF: Cyber-Attacks Are Biggest Business Risk in Europe and US

Wed, 10/02/2019 - 09:30
WEF: Cyber-Attacks Are Biggest Business Risk in Europe and US

Cyber-attacks remained the biggest perceived risk of doing business for executives in North America and Europe, and second globally, according to an annual World Economic Forum (WEF) report published yesterday.

Compiled from the responses of over 12,900 executives in 133 countries, the Regional Risks for Doing Business 2019 report outlines “the five global risks that you believe to be of most concern for doing business in your country within the next 10 years.”

Cyber-attacks were pegged as the biggest risk by CEOs in six of the world’s 10 largest economies: the US, Germany, the UK, France, Italy and Canada, as well as Italy and six other European countries.

Data fraud or theft was put in seventh place in terms of most concerning business risks for global respondents.

“The fact that cyber-threats worry the business community as much as they do academia, civil society, governments and other thought leaders shows just how disruptive this risk is to all aspects of life,” the report noted.

“As economies and societies continue to digitize, cyber-attacks are both more lucrative for attackers and more dangerous for victims.”

The WEF report highlighted the emergence of “formjacking” or Magecart attacks, alongside cryptojacking and the persistent threat of ransomware including the major losses suffered by Norsk Hydro as contributing to CEO unease over cyber-threats.

Some 61% of European businesses reported cyber-incidents in 2019 compared to 45% the previous year, according to insurer Hiscox.

In the US, the report pointed to a spate of ransomware attacks on local government authorities across the country and concerns over the security of election systems.

“Cybersecurity remains the most concerning risk to business leaders in advanced economies, and growing technology dependence for many businesses will only amplify this,” argued John Drzik, president of global risk and digital at Marsh.

“Combined with fractious geopolitical developments, and growing economic concerns, executives face a very challenging portfolio of potential threats. Business leaders should re-evaluate their underlying view of the global risk environment and make greater efforts to strengthen their corporate agility and resilience.”

Categories: Cyber Risk News

Former Yahoo Employee Pleads Guilty to Hacking Accounts

Wed, 10/02/2019 - 08:37
Former Yahoo Employee Pleads Guilty to Hacking Accounts

A former Yahoo employee has pleaded guilty to hacking thousands of customer accounts in search of sexual images and videos.

Reyes Daniel Ruiz, 34, of Tracy, California, admitted in a San Jose federal court on Monday to hacking around 6000 accounts — targeting those belonging to young women, including friends and colleagues.

He is said to have copied the content to a hard drive at home, although Ruiz destroyed it after his employer raised the alarm about suspicious activity.

It’s unclear exactly how he actually compromised the accounts, but the Department of Justice claimed he was first able to “crack” user passwords to access internal Yahoo systems.

Once inside, he was then able to compromise other accounts, including iCloud, Facebook, Gmail and DropBox — presumably if password reset emails were sent to the hacked Yahoo accounts.

Ruiz was charged with one count of computer intrusion and one count of interception of a wire communication. Under a plea agreement he admitted to the first charge, which carries a maximum sentence of five years behind bars plus a fine of $250,000.

Carl Wearn, head of e-crime at Mimecast, argued that all organizations should have measures in place to mitigate the insider threat, and claimed the incident shows that password resets represent a serious business risk.

“We need to make it harder for hackers to trickle into a number of systems from one weak point. A starting point is to monitor systems for unusual behavior. A pattern of multiple employees resetting passwords, for example, should trigger a warning,” he added.

“Additionally, there should always be multiple administrators so that access privileges are not abused. Businesses may not be able to prevent every employee from using their skills or access for malicious means, but they can put a plan in place for spotting and tackling such behavior.”

Categories: Cyber Risk News

Prying-Eye Vulnerability Exposes Online Meetings to Snooping

Tue, 10/01/2019 - 18:44
Prying-Eye Vulnerability Exposes Online Meetings to Snooping

Web-conferencing users who don't assign passwords could be having online meetings with more people than they think, according to new research.

The Cequence CQ Prime Threat Research team today announced its discovery in July 2019 of a vulnerability in the Cisco Webex and Zoom video-conferencing platforms that potentially exposes millions of online meetings to snooping.  

By launching an enumeration attack that targets web-conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs, threat actors could exploit the vulnerability to view and listen to active meetings that haven't been protected by a password. 

"In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community," said Shreyans Mehta, Cequence Security CTO and co-founder. 

"In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web-conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities."

Following best practices on vulnerability disclosures, the CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings.

Richard Farley, CISO of Zoom Video Communications, Inc., said: "Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature."

The Cisco Product Security Incident Response Team (PSIRT) issued an informational security advisory to its Webex customers, but said it "is not aware of any malicious exploitation of this potential attack scenario."

PSIRT said: "Cisco Webex provides the host with controls that protect the meeting—such as disallowing join before host, locking a meeting, as well as ensuring guests do not join without authentication."

Passwords are enabled as a default setting for meetings on both the Zoom and Cisco Webex platforms. However, users who are in the mood to live dangerously have the option to make meetings on both platforms password-free. 

Categories: Cyber Risk News

Publishers Targeted by GhostCat Malware

Tue, 10/01/2019 - 17:52
Publishers Targeted by GhostCat Malware

A malicious campaign that waged 13 attacks against hundreds of well-known publishers has been identified and put down by The Media Trust.  

Rather appropriately for the Halloween season, the malware was given the name GhostCat-3PC by researchers in the Trust's Digital Security & Operations (DSO) team. 

GhostCat-3PC ran behind an ad that used advanced, obfuscated code and delivery patterns to evade detection by the traditional signature-based ad blockers used by many of the publishers. 

After a quick prowl to check if the user was on a list of targeted domains, GhostCat would initiate a fraudulent pop-up that, if clicked, led to malicious content. 

The team discovered the malware in late August and observed it escalate its attack until well into September.

"What makes GhostCat-3PC unique is the scale of this highly orchestrated campaign, the sophistication of obfuscation techniques to outsmart security tools, and what appears to be an attempt to test and track the response of signature-based security defenses," Mike Bittner, The Media Trust's associate director of digital security and operations, told Infosecurity Magazine.

"Bad actors behind GhostCat-3PC know what blockers are present in these publications and are likely using these attacks as a kind of stress test to determine the risk of being discovered and impeded."

In a report published today, the DSO researchers explained how the creators of GhostCat hid malicious code inside seemingly innocuous code to get the malware past ad blockers. 

The researchers wrote: "Most blockers work by detecting known malicious signatures found in an ad tag or on a publisher site. These signatures are typically static in nature and therefore must result in an exact match to the malicious code in order to be successful. Any change to the targeted code, no matter how minor, will prevent the blocker from producing a match to the specified signature."

The Media Trust sees an average of 1,000 active, unrelated incidents in any 24-hour period, and more than 170 newly minted malicious domains each day. 

Asked how new ad blockers need to be to have any kind of effect against this continually evolving threat, Bittner told Infosecurity Magazine: "Pre-2019 blockers would be useless.

"Signature-based defenses like conventional blockers will have to update their keyword blocklists many times each day just to keep up with bad actors’ relentless assault. Just this past month, five premium publishers using conventional blocking solutions have had at least one major incident unrelated to GhostCat-3PC."

Categories: Cyber Risk News

Russian Underground Sells Disinformation Services to Influence Western Media

Tue, 10/01/2019 - 16:38
Russian Underground Sells Disinformation Services to Influence Western Media

Engaging threat actors to launch a disinformation campaign in the Western media is "alarmingly simple and inexpensive" according to a new report.

Using the Recorded Future platform, Insikt Group researchers set up a fake company located in a Western country to gain insight into the chilling world of disinformation. Researchers then hired two sophisticated disinformation vendors, which they found on a Russian-speaking underground forum, to influence public perception of the fictitious company.

The first vendor, given the code name Raskolnikov in the report (presumably as a nod to Dostoevsky's protagonist in Crime and Punishment), was engaged to paint a positive picture of the company. The second vendor, code-named Doctor Zhivago, was hired to destroy the reputation of the company, which was code-named Tyrell Corporation in the report. 

Researchers were able to launch a customizable month-long media campaign with each vendor for only a few thousand dollars. Services ranged from $8 for a social media post to $1,500 for SEO services and traditional media articles.

Raskolnikov created accounts for Tyrell Corporation on major Western social media platforms and gathered over 100 followers on each account. They offered a price list for sharing content on 45 websites, including,,, and  

Insikt Group researchers said: "In two weeks, the Tyrell Corporation was in the 'news'—one of the media sources was a less established media outlet, though the other was a very reputable source that had published a newspaper for nearly a century."

Doctor Zhivago claimed to work with a team that included journalists, editors, translators, search engine optimization (SEO) specialists, and hackers. The threat actor used social media to spread claims that Tyrell Corporation had manipulated employees, and even offered to file a complaint against the company for its supposed involvement in human trafficking. 

Researchers said: "First, a group of older accounts—referred to as 'aged accounts'— that posted links to the articles they had published in media sources was employed. Then, a new batch of accounts that reposted content from the aforementioned aged accounts to amplify the messages was used. 

"These new accounts befriended citizens living in the same country the Tyrell Corporation was located in to make the campaign more effective by targeting the audience."

Commenting on the research, Roman Sannikov, head of analyst services at Recorded Future, told Infosecurity Magazine: "We were surprised by how professional the vendors seemed to be. They provided much better customer service than your typical underground threat actor. They were there to provide us with advice on how we should carry out the campaigns and were very responsive to our questions and requests."

Asked how the research has shaped his view of the world, Sannikov said: "I think we already suspected that this was going on, though the fact that these threat actors were able to carry out the campaigns so quickly, inexpensively, and effectively in the West was certainly jarring.

"It underscores how important this issue is, not only when it comes to the public sector, but for private companies and individuals as well. We hope that our research will open people's eyes to this problem before it becomes pervasive outside of the vendors' traditional markets of Russian-speaking countries and Eastern Europe."

Categories: Cyber Risk News

Carbon Black: Defense Capabilities Match Increased Attack Sophistication

Tue, 10/01/2019 - 11:02
Carbon Black: Defense Capabilities Match Increased Attack Sophistication

While businesses are seeing an increase in attack sophistication, and the overall attack volume in the past 12 months has increased, defense is getting better.

According to research by Carbon Black of 250 British CTOs and CISOs, 84% of UK businesses reported an increase in overall attack volume while 90% cited more sophistication.

Speaking to Infosecurity, Rick McElroy, head of security strategy at Carbon Black, said that these statistics were due to what he called the “trickle down cyber-economy for adversaries” where nation state actors, cyber-militias and contractors working for them develop multi-million dollar tools which get into the wild – such as the exploits which enabled WannaCry and NotPetya to spread.

“As new capabilities and ammunition are developed, you’ll see that move into things like ransomware,” he explained. “Secondary, [offense] is not a highly specialized skill anymore, a lot of people are trained in it, and you can buy a lot of capabilities on the dark web. So the rise is down to more people being involved, and the sophistication is down to the cyber-economy, but defenders do have better tools.”

On that point, McElroy said that because there is better tooling in prevention and detection, the adversary has to improve and become more “stealthy.”

Asked if the state of cybersecurity was improving for defenders, McElroy said he believed it was getting better as “people are starting to sleep a bit more” and getting some of things that they need thanks to budget approval. “It comes back to how to make the army bigger, and recruit successfully as people look at ‘non-traditional areas’” he said.

The research found that 76% of UK organizations were more confident in their ability to repel cyber-attacks than they were 12 months ago.

McElroy said: “As the cyber-defense sector continues to mature, businesses are becoming more aware of the tools at their disposal and the tactics they can use to combat cyber-attacks. We believe this growing confidence is indicative of a power shift in favor of defenders, who are taking a more proactive approach to hunting out and neutralizing threats than previously.”

He praised the MITRE ATT&CK framework as enabling defenders as it made vendors improve their technology, and pointed out that there is a feeling that defenders have better tools than ever before “which is definitely increasing the confidence that they have” as things can be found in environments that otherwise would not have been known about.

The research also found that 90% of UK businesses said threat hunting has improved their defenses, and McElroy noted that there is less reliance on alerting, and this has had a positive impact, “but where do you find the threat hunters as this is a skill that has not been around for long and globally there is a massive shortage of threat hunters and incident responders.”

Categories: Cyber Risk News

Hearing Aid Giant Warns of $95m in Ransomware Losses

Tue, 10/01/2019 - 10:30
Hearing Aid Giant Warns of $95m in Ransomware Losses

A Danish firm has revealed that a suspected ransomware attack on its IT systems last month may end up costing as much as $95m.

Demant, which is one of the world’s leading makers of hearing aids, said it experienced a “critical incident” on September 3. Although it refuses to clarify the nature of the incident, local reports were less circumspect.

Although the firm had backed up data, the sheer scale of the attack appears to have had a major impact on its recovery.

“The Group’s IT infrastructure was hit by cybercrime. Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution,” Demant admitted in an update late last week.

“We continue ramping up to accommodate the back-log built up since the incident, to rebuild necessary inventories across the supply chain and to reduce turnaround times of repair and custom-made hearing aids. We are still in the recovery and ramp-up phase at our amplifier production site in Denmark and at our cochlear implants production site in France.”

The cumulative effect of these outages will have a negative financial impact on the firm in the region of DKK 550-650m ($80-95m). This includes a DKK 100 ($15m) deduction thanks to the firm’s cyber insurance policy.

Demant expects DKK 50m ($7m) to be incurred due to direct losses.

The firm’s hearing wholesale business was particularly badly affected, accounting for around half of estimated lost sales.

“The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” it continued.

“Despite our efforts to operate the business in the best possible way, our immediate focus on supporting existing customers to prevent them from being impacted by the incident has impacted sales and will likely impact our organic growth rate throughout the rest of the year.”

The news is another cautionary tale for firms currently unprepared to deal with the ransomware epidemic that continues to spread across the globe. Norwegian aluminium giant Norsk Hydro was hit earlier this year, leading to losses in the tens of millions of dollars.

Categories: Cyber Risk News

Six in 10 Global Firms Hit by a Data Breach

Tue, 10/01/2019 - 09:30
Six in 10 Global Firms Hit by a Data Breach

Around 60% of global organizations have suffered a breach in the past three years, with the rest increasingly feeling like their turn is coming soon, according to new research from Bitdefender.

The security firm polled over 6000 cybersecurity professionals from organizations of all sizes in the UK, US, Australia, New Zealand, Germany, France, Italy and Spain to compile its Hacked Off! study.

While six in 10 respondents said they’d been hit by a data breach, 36% claimed they could be facing one without knowing. It’s no surprise that over half (58%) are concerned about the readiness of their organization to deal with such an attack.

Board-level buy-in is a major sticking point: 57% of respondents claimed that the C-suite is the least likely to comply with corporate cybersecurity policy, putting their firm at risk and making it hard to drive the kind of company-wide security-by-design culture demanded by GDPR and other regulators.

Nearly three-quarters (73%) believe they’re more at risk as they are under-resourced, while alert fatigue is a major problem, with over half (53%) of endpoint detection and response (EDR) alerts described as false alarms.

The research found that, partly because of this EDR failure, firms are reacting too slowly to incidents.

Over a fifth (29%) claimed it would take a week or longer to detect an advanced cyber-attack, while just three in every 100 cybersecurity professionals claimed 100% of attacks can be efficiently detected and isolated.

Yet despite all of these shortcomings, more than half (57%) of respondents rated their organization’s cybersecurity “very good” or “excellent.”

Liviu Arsene, global cybersecurity researcher at Bitdefender, explained that further investments in anti-malware, network traffic analysis and EDR were all highlighted by respondents as necessary.

“Poor cybersecurity is an undeniable threat to businesses today. From the loss of customer trust to the impact on the bottom line it is critical for infosec professionals to get it right,” he added.

“According to respondents, 53% of infosec professionals have contemplated leaving their job due to under-resourcing in terms of staff. Resources are in fact such a bugbear that infosec pros say the main obstacles to their organizations’ strengthening their cybersecurity posture are a lack of budget and a lack of skilled personnel.”

Categories: Cyber Risk News

HMRC Disciplines 100 Staff for IT Misuse

Tue, 10/01/2019 - 08:40
HMRC Disciplines 100 Staff for IT Misuse

Nearly 100 HMRC employees have faced disciplinary action after misusing computer systems over the past two years, according to Parliament Street.

The think tank sent Freedom of Information (FOI) requests to the UK tax office to better understand the insider threat there.

It revealed that 92 staff members had misused IT systems over the previous two financial years, with eight sacked for their indiscretions.

Most common was misuse of email, with 15 written warnings issued in 2017-18 and a further 11 in 2018-19. According to the think tank, the culprit in many of these was a repeat offender, who had also been issued with a final written warning for computer misuse.

In 2018-19, nine written warnings were issued for misuse of social media channels, compared to zero the previous year.

In addition, 13 HMRC employees were reprimanded for misuse of telecommunications, and 19 were disciplined for misuse of computer equipment or systems.

In fact, all eight dismissals were for “misuse of computer equipment.”

Absolute Software CEO, Christy Wyatt, said tackling insider abuses should be a top priority for the public sector, especially organizations handling highly sensitive financial data on millions of citizens.

“This kind of activity often involves individuals abusing access to personal information and in some cases sharing it, leading to a potential data breach,” she added.

“Organizations like HMRC need to adopt an enterprise resilience mindset not only around potential bad employee behavior, but fortifying their overall security posture and risk management profile.”

The HMRC has been called out before for poor data protection practices. In May, privacy regulator the ICO handed it an enforcement notice after it broke the law over collection of biometric data from taxpayers.

Some 20% of cybersecurity incidents and 15% of the data breaches investigated by Verizon this year were linked to insiders, according to its Data Breach Investigations Report (DBIR).

Categories: Cyber Risk News

German Police Bust Dark Web Hosting Cyber-Bunker Business

Mon, 09/30/2019 - 18:35
German Police Bust Dark Web Hosting Cyber-Bunker Business

Hundreds of servers used to support child pornography, cybercrime, and the sale of illegal drugs have been seized in a police raid on a former NATO bunker in Germany.

German authorities arrested thirteen people between the ages of 20 and 59 on Friday after busting up a dark web hosting operation being run from a heavily fortified five-floor military bunker in the peaceful riverside town of Traben-Trarbach. 

After breaking through an iron door to gain access to the temperature-controlled bunker, 600 police searched the 1.3-acre premises and found around 200 servers stored in stacks together with disks, mobile phones, documents, and a large sum of cash. 

A 59-year-old Dutchman, who purchased the bunker in 2013, is thought to be the owner and operator of the business, which offered secured "bulletproof" website hosting to illegal businesses and concealed their activities from authorities. Sites linked to the bunker include illegal online drug stores Cannabis Road, Orange Chemicals, and Wall Street Market, formerly the second-largest global marketplace for drugs, where users could also buy hacking tools and financial-theft ware.

Suspects arrested in connection with the raid are thought to have links to organized crime and are likely to be named as accessories to over 250,000 offenses involving money counterfeiting, drugs, data mining, forged documents, and the distribution of child pornography.

Seven of the people arrested are being held in custody, with two thought to hold previous convictions for running a similar business out of a former military bunker in the Netherlands, which was sold as CyberBunker. 

Regional criminal police chief Johannes Kunz said, "I think it’s a huge success . . . that we were able at all to get police forces into the bunker complex, which is still secured at the highest military level. We had to overcome not only real, or analog, protections; we also cracked the digital protections of the data center."

Since the operation of the bunker hosting service isn't illegal per se, German authorities must prove the suspects arrested were aware of the illegal behavior of the hosted businesses to secure a conviction. Evaluating the stored data to determine this could take anywhere from months to years. 

Commenting on the raid, Vectra's head of security, Chris Morales, said: "We need to see more collaboration like this which involves the coordination between digital forensics and investigation and physical police enforcement. I applaud all of the German law enforcement agencies involved on a job well done."

Categories: Cyber Risk News

Hiding a Data Breach Can Derail an Acquisition

Mon, 09/30/2019 - 17:02
Hiding a Data Breach Can Derail an Acquisition

Companies can drive down their value by hiding or mishandling data breaches, according to research by the world's largest nonprofit association of certified cybersecurity professionals, (ISC)².

Researchers questioned 250 mergers and acquisitions (M&A) experts based in the US to determine how important a company's cybersecurity program and breach history is in deciding its value ahead of a potential purchase. 

Findings shared in the Cybersecurity Assessments in Mergers and Acquisitions report, released today, revealed that 49% of M&A experts have seen deals derailed after due diligence brought an undisclosed breach to light. 

Researchers also found that 86% of respondents said if a company publicly reported a breach of customer or other critical data in its past, it would detract from the acquisition price assigned. However, if that breach was satisfactorily addressed and fixed, and any potential fines were already paid, 88% said it would minimize the negative impact to the overall valuation.

"While every company needs to make their own decisions regarding proper data breach disclosure policies, the research clearly shows that in the context of a possible sale, not being transparent about past breaches can literally kill a potential deal, or can seriously affect the ultimate sale price," John McCumber, director of cybersecurity advocacy, North America, for (ISC)², told Infosecurity Magazine.

Having strong cybersecurity can give a company the edge over a competitor. Researchers found that 77% of experts had recommended a particular company be acquired over another because of the strength of its cybersecurity program.

The report is a reality check for companies who think a lackluster approach to cybersecurity won't diminish their stock. All respondents stated that cybersecurity audits are now a standard practice in arriving at a dollars and cents valuation, and 96% said that cybersecurity readiness factors into the calculation when they are assessing the overall monetary value of a potential acquisition target.

"While most companies would rather not experience a breach in the first place, the study shows that those who deal with one, handle it well, and make adjustments to policies in order to limit their chances of a recurrence are looked at more favorably by potential buyers than those who seem doomed to repeat their mistakes," McCumber told Infosecurity Magazine.

"Each deal is different. But what our report indicates is that in order to maximize the value of a deal, the acquisition target should ideally self-audit their cybersecurity program and readiness level in advance."

Categories: Cyber Risk News