Info Security

Subscribe to Info Security  feed
Updated: 1 hour 29 min ago

Kaspersky Uncovers New APT “Mercenary” Group

Thu, 07/30/2020 - 11:00
Kaspersky Uncovers New APT “Mercenary” Group

Security researchers at Kaspersky have uncovered a new cyber-mercenary group that they claim has been providing hacking services for hire for almost a decade.

Dubbed “Deceptikons,” the APT group isn’t particularly sophisticated from a technical perspective and isn’t known to have deployed any zero-day threats during that time, the Russian AV vendor said in a Q2 round-up report.

“The Deceptikons infrastructure and malware set is clever, rather than technically advanced. It is also highly persistent and in many ways reminds us of WildNeutron,” the firm said.

Also known as Jripbot and Morpho, WildNeutron was known for targeting private companies for profit around the globe, most notably Apple, Facebook, Twitter and Microsoft in 2013. The threat actors behind the group were noted for the care they took in hiding command and control server (C&C) addresses and building-in special features to help with recovery from any C&C shutdown attempts.

Like WildNeutron, Deceptikons is unusual for APT groups in focusing on commercial and non-governmental targets.

“In 2019, Deceptikons spear-phished a set of European law firms, deploying PowerShell scripts. As in previous campaigns, the actor used modified LNK files requiring user interaction to initially compromise systems and execute a PowerShell backdoor,” explained Kaspersky.

“In all likelihood, the group’s motivations included obtaining specific financial information, details of negotiations and perhaps even evidence of the law firms’ clientele.”

Hacker-for-hire groups represent a different but no less immediate threat to organizations than state-sponsored operatives. In some cases, they do go after government as well as commercial targets.

In June, Citizen Lab uncovered a major operation against journalists, rights groups, government officials, financial institutions and others, apparently orchestrated by an Indian tech firm. The mere presence of Dark Basin, as well as Deceptikons and groups like them, indicates there is a thriving market in the outsourcing of cyber-espionage activity.

Categories: Cyber Risk News

North Korean Hackers Sniffing for US Defense Secrets

Thu, 07/30/2020 - 09:34
North Korean Hackers Sniffing for US Defense Secrets

North Korea is most likely behind a new cyber-espionage campaign targeting US defense and aerospace firms earlier this year, according to McAfee.

The security firm’s Advanced Threat Research (ATR) group said it detected similarities in TTPs with previous campaigns in 2017 and 2019 which were attributed to Hidden Cobra — the umbrella term used to refer to Pyongyang’s Lazarus, Kimsuky, KONNI and APT37 groups.

The new “Operation North Star” attacks, spotted running from March to May, used a fairly rudimentary spear-phishing email featuring legitimate job ads at defense contractors as a lure.

“This recent campaign used malicious documents to install malware on the targeted system using a template injection attack,” McAfee explained.

“This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template.”

According to the report, victims were also targeted via social media.

Compromised infrastructure in European countries was used to host the command and control (C2) servers and distribute implants to targeted machines, it added.

However, the C2 infrastructure wasn’t active at the time of analysis, which limited McAfee’s insight into the campaign. The report also wasn’t able to clarify exactly which organizations were targeted as it wasn’t able to retrieve any of the spear-phishing emails.

McAfee does know that the lures were job ads in engineering and project management positions across various US defense programs, including: F-22 fighter jets, Defense, Space and Security (DSS), photovoltaics for space solar cells and the Aeronautics Integrated Fighter Group.

Categories: Cyber Risk News

Dussmann Group Data Leaked After Ransomware Attack

Thu, 07/30/2020 - 08:50
Dussmann Group Data Leaked After Ransomware Attack

German giant Dussmann Group has become the latest company to fall victim to a ransomware-data breach attack, after hackers began posting stolen files to the dark web.

The facilities management multinational, which employs over 66,000 staff worldwide and makes billions of euros in sales annually, appears to have been struck by the Nefilim variant.

The group behind the ransomware began posting over 16,000 files to its dark web site as proof of its efforts, according to @ransomleaks. A screenshot shows the first part of the upload dated Monday with links to the archive, and reveals some personal contact details of the company’s executives.

Pioneered by groups such as Maze, this is a common tactic designed to persuade victim organizations who have backed-up their data to pay the ransom, although the cyber-criminals’ claims of how much data they actually have in their possession aren’t necessarily to be trusted.

A Dussmann statement issued by the firm revealed that the attack targeted its refrigeration subsidiary Dresdner Kühlanlagenbau, admitting that data “was encrypted and copied.

“The servers were shut down as a precaution. The data protection authorities and the State Office of Criminal Investigation in Saxony have been informed and charges have been filed,” it continued.

“Operational processes in the business unit for refrigeration air-conditioning plant engineering are secure. DKA has already informed clients and employees about the cyber-attack and the data outflow. Due to ongoing investigations, we cannot say more at present.”

It’s unclear exactly how the firm’s security was breached, although Nefilim is a fairly new variant that shares many characteristics with the Nemty ransomware family. To that end it’s most likely to spread via RDP, according to Trend Micro.

Ransomware attackers have multiple tactics to target RDP including: exploitation of vulnerabilities in the protocol, brute forcing log-ins and purchasing breached RDP credentials online.

The risks are significantly higher today considering the number of remote workers using such tools to connect to office systems.

Categories: Cyber Risk News

Rite Aid Drops Facial Recognition Tech

Wed, 07/29/2020 - 18:00
Rite Aid Drops Facial Recognition Tech

Rite Aid's quiet use of facial recognition technology in its stores has ended after nearly a decade.  

Since 2012, the American drugstore had gradually implemented the technology in 200 stores around the country, according to an investigation by Reuters.

Analysis of where the technology had been deployed indicated that Rite Aid had primarily installed it in lower-income neighborhoods. 

The pharmacy said that the geographical distribution of the technology was informed by local and national crime statistics together with each site's infrastructure and specific history of thefts.

Rite Aid said the technology was installed as part of an effort to deter thieves and protect staff from violent crime. Under the system, the faces of people entering a store were matched to those of individuals Rite Aid had previously observed engaging in criminal or potentially criminal activity. 

In the event of a match's being made, an alert was sent to the smartphones of the store's security personnel. Customers could then be asked to leave if the security found, after reviewing the match, that it was accurate.

After confirming the existence and scale of the technology's use in its stores to Reuters, Rite Aid last week said it was pulling the plug on the facial recognition program. It later stated that all the cameras linked to the facial recognition software had been turned off. 

“This decision was in part based on a larger industry conversation,” Rite Aid told Reuters in a statement, adding that “other large technology companies seem to be scaling back or rethinking their efforts around facial recognition given increasing uncertainty around the technology’s utility.”

In a statement issued in February, Rite Aid told Reuters that customers had been alerted to the use of the technology through in-store signage and via a privacy policy posted in 2020 on the company's website. 

During one or more visits from October 2019 to July 2020, Reuters' investigators found facial recognition cameras at 33 of the 75 Rite Aid stores they visited in Manhattan and central Los Angeles.

“Reporters found no notice of the surveillance in more than a third of the stores they visited with the facial recognition cameras,” stated Reuters.

Categories: Cyber Risk News

Global Knowledge Partners with (ISC)²

Wed, 07/29/2020 - 17:00
Global Knowledge Partners with (ISC)²

The world’s largest non-profit association of certified cybersecurity professionals has named Global Knowledge as its official training provider in the United Kingdom. 

The partnership between Global Knowledge and (ISC)² was announced today as part of the latter’s drive to offer certified cybersecurity training to its UK customer base. 

Global Knowledge will be providing exam preparation training for the full range of (ISC)² certifications, responding to increased demand and a growing supply shortage of certified professionals in the cybersecurity workforce.

“Expanding the channel for (ISC)² certification training in the region to provide more choice to learners is of paramount importance at this critical time for both the UK and the global economy,” said Deshini Newman, managing director EMEA at (ISC)². 

“The world of work has changed in response to the challenges presented by the global pandemic. It has made cybersecurity skills all the more critical as organizations tackle the cyber-challenge on multiple fronts — dealing with external and internal cyber-threats, maintaining regulatory compliance amid evolving regulation, following best practices and securing an increasingly distributed workforce.”

Global Knowledge was established in 1995 and is headquartered in North Carolina. Every year the company delivers over one million information technology and business skills training courses to over 200,000 professionals. Course curriculums include communications skills, business analysis, project management, service management, process improvement and leadership development services.

“Global Knowledge welcomes the opportunity to be a (ISC)² Official Training Provider in the UK,” said Glyn Roberts, managing director at Global Knowledge UK. 

“For over two decades, Global Knowledge has provided the quality IT and business skills training that organizations of all sizes require to succeed in an ever-changing business world and cybersecurity landscape. This new partnership with (ISC)² will support our goal to continuously grow and innovate, ensuring our mutual customers always obtain the most relevant learning experience and content possible.”

Boasting a membership that exceeds 150,000, (ISC)² is best known for its acclaimed Certified Information Systems Security Professional (CISSP®) certification. In the UK, the association also partners with training providers Firebrand Training and Learning Tree International.

Categories: Cyber Risk News

Madonna Censured Over Coronavirus Video

Wed, 07/29/2020 - 16:02
Madonna Censured Over Coronavirus Video

Pop icon Madonna has been censured for sharing a video on Instagram in which doctors tout hydroxychloroquine as an effective treatment for individuals infected with coronavirus.

The clip shared by her Madgesty shows members of America's Frontline Doctors speaking at a gathering held outside the US Supreme Court. In it, Houston doctor Stella Immanuel says that she has used hydroxychloroquine to effectively treat 350 coronavirus patients "and counting."

America's Food and Drug Administration has cautioned against the use of hydroxychloroquine or chloroquine for COVID-19 outside of a hospital setting or a clinical trial due to risk of heart rhythm problems.

The singer shared the video with 15 million followers together with a post that claimed a vaccine for COVID-19 had been discovered but was being suppressed to "let the rich get richer."

Instagram blurred out the video with a caption stating, "false information." Users who viewed the post were directed to a page informing them that no vaccine for the novel coronavirus has been created.

Madonna's fans and peers expressed disbelief over the singer's suggestion of the existence of a coronavirus conspiracy. 

"This is utter madness!!!," commented pop star Annie Lennox. "Hopefully your site has been hacked and you're just about to explain it."

The post was later removed from Madonna's Instagram account. The same video was previously shared by Donald Trump Jr. on Twitter, landing the president's son a 12-hour ban from using the social media app. 

In a move that could draw criticism from defenders of the right to free speech, both Facebook and Twitter have removed the video from their sites after declaring it to be false information. 

According to Simone Gold, leader of America's Frontline Doctors, the group's website was shut down yesterday by host Squarespace over claims the site's terms of service had been violated. 

Yesterday some of the doctors featured in the banned video met with Vice President Mike Pence.

Following the meeting, the group's leader Simone Gold tweeted: "We have just met with Vice President Mike Pence to request the administration's assistance in empowering doctors to prescribe hydroxychloroquine without political obstruction. We also discussed the recent censorship of doctors on social media platforms."

Categories: Cyber Risk News

Vatican Infiltrated by Chinese Hackers Ahead of Sensitive Talks

Wed, 07/29/2020 - 15:35
Vatican Infiltrated by Chinese Hackers Ahead of Sensitive Talks

The Vatican’s computer networks have allegedly been infiltrated by Chinese hackers in the run up to sensitive talks between the Catholic Church and Beijing focusing on the religion’s status in China.

This is according to cybersecurity firm Recorded Future, which detected a series of incursions into the Vatican and the Holy See’s Study Mission to China’s systems from the beginning of May. The latter organization is a Hong Kong-based group of de facto Vatican representatives.

It is a suspected case of cyber-espionage, with the Chinese state frequently accused of targeting religious groups, such as Buddhist Tibetans and Muslim Uighurs, through cyber-attacks in recent years. Recorded Future’s report noted that Chinese state-sponsored groups often target religious minorities in the region.

Talks are expected to take place in September between the Vatican and the Chinese government regarding the renewal of a provisional agreement signed in 2018 that revised the terms of the Catholic Church’s operations in China.

The report said multiple PlugX C2 servers that communicated with Vatican hosts were identified from mid-May until at least July 21 2020. In one attack, a customized PlugX payload was hidden in a letter purporting to be from the Vatican to Msgr. Javier Corona Herrera, the chaplain who heads the study mission in Hong Kong.

Recorded Future stated: “From early May 2020, The Vatican and the Catholic Diocese of Hong Kong were among several Catholic Church-related organizations that were targeted by RedDelta, a Chinese-state sponsored threat activity group tracked by Insikt Group.”

It added: “The suspected intrusion into the Vatican would offer RedDelta insight into the negotiating position of the Holy See ahead of the deal’s September 2020 renewal. The targeting of the Hong Kong Study Mission and its Catholic Diocese could also provide a valuable intelligence source for both monitoring the diocese’s relations with the Vatican and its position on Hong Kong’s pro-democracy movement amidst widespread protests and the recent sweeping Hong Kong national security law.”

Speaking to Infosecurity, Sam Curry, chief Security officer at Cybereason, commented: “There are three certainties in life, death, taxes and Beijing’s repeated denials of having any involvement in cyber-espionage. The communist government can then claim plausible deniability and blame some third party that they likely hired to do their dirty work.”

He added: “As for the Vatican or any public or private entity, there is another certainty and that is repeated attempts to steal your proprietary information by a nation-state or rogue hacking group. Reducing risk should be paramount to any organization and one of the ways security analysts can see more deeply into a network is through threat hunting and around the clock monitoring of all inbound and outbound network traffic.”

Categories: Cyber Risk News

Cyber-Criminals Continue to Exploit #COVID19 During Q2

Wed, 07/29/2020 - 15:00
Cyber-Criminals Continue to Exploit #COVID19 During Q2

Cyber-criminals’ exploitation of the COVID-19 pandemic to target individuals and businesses has continued unabated during the second quarter of 2020, according to ESET’s Q2 2020 Threat Report published today. The findings highlight how the crisis is defining the cybersecurity landscape in Q2 in a similar way as it did in Q1 after the pandemic first struck.

ESET observed a continuous focus on phishing using COVID-19 lures in this period. This included criminals taking advantage of the rise in online shopping that has occurred during the pandemic, with a 10-fold increase in phishing emails impersonating one of the world’s leading package delivery services found in comparison to Q1.

The shift to remote working as a result of the pandemic has also led to increased targeting of Remote Desktop Protocal (RDP) in recent months. Roman Kováč, chief research officer at ESET, commented: “Our telemetry showed a continued influx of COVID-19 lures in web and email attacks, as well as an increase in attacks targeting RDP, with persistent attempts to establish RDP connections more than doubling since the beginning of the year.”

Ransomware tactics were found to be “rapidly developing” in this period, with operators moving away from doxing and random data leaking towards auctioning the stolen data on dedicated underground sites.

The report also highlighted some of the important investigations undertaken by ESET researchers in recent months. This included the uncovering of a ransomware campaign targeting Android users in Canada under the guise of a COVID-19 tracing app. “We quickly put a halt to this operation and provided a decryptor for victims,” said Kováč.

Additionally, exclusive research revealed details of a malicious Google Chrome extension targeting hardware wallets for cryptocurrencies and a renewed targeted attack on a Hong Kong university.

Categories: Cyber Risk News

BSIA Cybersecurity Group Releases New Code of Practice for Installers

Wed, 07/29/2020 - 14:00
BSIA Cybersecurity Group Releases New Code of Practice for Installers

The British Security Industry Association’s (BSIA) Cybersecurity Product Assurance Group (CySPAG) has announced the release of a new code of practice for installers responsible for safety and security systems.

Developed by the CySPAG, the Installation of safety and security systems – cybersecurity code of practice will assist in providing confidence throughout the supply chain, promoting secure connection of products and services and delivering client assurance regarding connected solutions. The recommendations put forward apply in addition to other standards and codes of practice relating to systems and equipment to be installed.

Steve Lampett, technical manager at BSIA, said: “We have long been concerned with the ever-increasing use of internet connected devices and systems in electronic security and how the growing links to home and business networks can leave individuals and companies vulnerable to cyber-attacks.

“It is also significantly important to acknowledge that there is a combined stakeholder effort in providing a cyber-secure solution, i.e. manufacturers, designers and installers working in collaboration to provide a credible cyber secure solution.”

The BSIA’s new code of practice for installers takes a practical approach to address cybersecurity risks, moves the sector forward in terms of managing that risk and has the potential to become a real game changer for the industry, Lampett added.

“This will not be the end goal but should steer industry practitioners into thinking differently about how we utilise new technology in security and equip the professional security industry for the future.”

Glenn Foot, chairman, CySPAG, explained that CySPAG has strong representation from various roles across the industry and has focused on what is practicable for installers to do and what can be expected of clients.

“The code of practice is the first step in a journey for this industry, and CySPAG is committed to continuing to support the industry with firstly comprehensive training modules for installation companies and also a linked code of practice for manufacturers.

“The overall aim is to ensure products are produced and installed securely.”

Categories: Cyber Risk News

Qualys Announces Spell Security Acquistion

Wed, 07/29/2020 - 13:12
Qualys Announces Spell Security Acquistion

Qualys has announced the acquisition of endpoint detection and response startup Spell Security.

The acquisition will strengthen Qualys’ endpoint behavior detection portfolio and boost its own research capabilities with Spell’s deep knowledge of threat hunting and adversary techniques. Key Spell Security employees have joined Qualys’ Malware Detection Solutions, it has been disclosed.

Qualys said the addition of Spell Security’s hunting and reporting capabilities will enable it’s security teams to detect and hunt for high fidelity threats, gain the full context of attack paths with powerful correlation of all security vectors for investigation and prioritization of security incidents, and respond appropriately to eliminate the root cause of incidents.

Philippe Courtot, chairman and CEO of Qualys, said: “Spell Security delivers outstanding malware and threat research capabilities, frontline experience investigating security incidents and data breaches, and powerful triage-driven threat hunting capabilities.

“Adding it’s technology to the Qualys Cloud Platform enables us to further strengthen our security and threat research, advanced endpoint behavior detection and provide customers with enhanced telemetry for even greater visibility, which helps them respond to threats more quickly. We welcome Spell Security to the Qualys family.”

Rajesh Mony, founder and CTO of Spell Security, said: “The entire Spell Security team and I are thrilled to be part of such a pioneering and innovative cybersecurity company. Qualys’ approach to delivering a unified cloud platform with all the information needed for protection, detection and response at your fingertips is well ahead of anything we’ve seen.”

The announcement comes as Qualys announces the launch of its Multi-Vector Endpoint Detection and Response (EDR) product. Designed to provide critical context and full visibility into the entire attack chain to provide a comprehensive, more automated and faster response to protect against attacks, Multi-Vector EDR enables security teams to unify multiple context vectors like asset and software inventory, end-of-life visibility, vulnerabilities and exploits, misconfigurations, network traffic summary, MITRE ATT&CK tactics and techniques, malware, endpoint telemetry and network reachability by leveraging the Qualys backend to correlate with threat intelligence for accurate detection, investigation and response.

“Qualys Multi-Vector EDR represents a major extension to both the Qualys Cloud Platform and our agent technology,” said Courtot. “Adding context and correlating billions of global events with threat intelligence, analytics and machine learning results in a truly groundbreaking approach to EDR that not only stops sophisticated multi-vector attacks, but also automatically orchestrates the appropriate response all from a single solution, thus greatly reducing the time to respond while drastically reducing cost.”

Categories: Cyber Risk News

Nation State Attackers Shift to Credential Theft

Wed, 07/29/2020 - 11:31
Nation State Attackers Shift to Credential Theft

A greater focus is being placed on credential theft by nation state actors rather than stealing money.

Speaking on a virtual briefing, Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, focused on attacks from Russia, Iran and China and their various activities. Monrad said attacks are easily done because of the user’s common digital footprint, which can allow an attacker to pick up on items about the victim and use them in a social engineering scenario.

He explained that the biggest detection of malware seen by FireEye customers is focusing on stealing credentials and stealing information “and that makes sense as regardless of your motivation, if you can steal or buy stolen credentials. you will make less noise in your operation.”

Furthermore, if an attacker wanted to do a high stake “heist,” or if you wanted to rob a house, if you could purchase the access code to the alarm system or purchase the keys, you make less noise than if you break in and make more noise. 

“Credentials can vary from anything that requires a username and password to databases or access to cloud environments,” he said. “This is just part of the ecosystem we currently see, and [cyber-criminals] advertise databases and tools and services on the underground forums.”

Monrad added, from a cyber-criminal perspective or even as part of nation state campaign, buying those credentials may give you more of a silent entry into a system. “If you’re a cyber-criminal deploying ransomware post-compromise, this will make you more successful in your intrusions.” 

He said this is why Mandiant is focused on credential theft as a sole operation, as it sees this as a challenge for organizations to control their credentials, to monitor for stolen credentials and to make sure that they use the best guidance on passwords and enforcing MFA.

Asked by Infosecurity if the company's research had not considered nations which were seeking financial gain from attacks, such as North Korea, Monrad said the intention had been to focus on diplomatic attacks by Russia, “dual use” by China and “where anything is a threat” by Iran, but he admitted that where North Korea is involved, they do still see “those big money heists.”

He said that financial attacks are still happening, and there are more standard cyber-attacks taking place where the attacker tries “to gain large financial sums in one cyber-attack,” but the “longer game” with credential theft is now common, and from a cyber-criminal perspective, the value in purely financial attacks is diminishing, with more money made from “selling access to desktop machines.

“With the exception of North Korea we do see that change,” he concluded, noting there is more interest in interacting with the banking transfer systems and mechanisms, and specifically with the SWIFT banking transfer system.

Categories: Cyber Risk News

Promo Data Breach Hits 14.6 Million User Accounts

Wed, 07/29/2020 - 11:00
Promo Data Breach Hits 14.6 Million User Accounts

An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts.

Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business.

Although social media log-ins and financial information were not compromised, the attackers appear to have made off with plenty of sensitive personal data.

“The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo.

“Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.”

In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords.

Although Promo failed to quantify the scale of the breach, HaveIBeenPwned has claimed the incident exposed 22 million records containing over 14.6 million unique email addresses.

Promo has informed all affected customers and will force a password reset as a precaution.

“Promo blamed a third-party vendor for exposing the passwords, but why is Promo sharing its users’ passwords with third parties in the first place? Furthermore, Promo must have been using an outdated hash algorithm to encrypt passwords if hackers were able to crack them,” argued Comparitech privacy advocate, Paul Bischoff.

“To add insult to injury, the data was posted on a forum before Promo even knew about the breach and was able to alert customers. That’s three strikes against Promo.”

Categories: Cyber Risk News

#COVI19 Could Push Average Breach Cost to $4m

Wed, 07/29/2020 - 09:40
#COVI19 Could Push Average Breach Cost to $4m

The average global cost of a data breach fell slightly from 2019-2020 but COVID-19 is likely to increase the financial impact and incident response times thanks to mass remote working, according to IBM.

Published today, the tech giant’s annual Cost of a Data Breach Report is compiled from analysis of 524 breached organizations and covers 17 countries and 17 industries.

The average breach cost of $3.86m is 1.5% down on last year’s study, but this is not necessarily a cause for celebration.

“Costs were much lower for some of the most mature companies and industries and much higher for organizations that lagged behind in areas such as security automation and incident response processes,” the report noted.

What’s more, the impact of mass remote working is expected to add $137,000 to these costs, delivering an adjusted average total cost of $4m, higher than last year’s $3.92m.

So-called “mega breaches” also experienced a surge in associated costs: for between one and 10 million records lost the costs are said to be $50m on average, while for breaches of over 50 million records the figure is a whopping $392m. That’s up from $388m in 2019 and is more than 100-times the average for breaches of under 100,000 records.

Cloud misconfigurations tied stolen or compromised credentials as the number one cause of breaches resulting from malicious attacks (19%).

Configuration errors caused the average breach cost to jump by half a million dollars to $4.41m, however, compromised credentials lead to an even bigger financial hit, adding $1m to breach costs for an adjusted average of $4.77m.

Lost business comprises the biggest chunk (40%) of cost following a breach, increasing from $1.42m in 2019 to $1.52m this year. This can include customer churn, system downtime and the cost of finding new business, according to IBM.

Categories: Cyber Risk News

Global Firms Delayed Key Security Projects as Pandemic Struck

Wed, 07/29/2020 - 08:38
Global Firms Delayed Key Security Projects as Pandemic Struck

Over 90% of global organizations were forced to delay key security projects as they transitioned to remote working earlier this year and many stopped patching, exposing themselves to cyber-threats, according to Tanium.

The unified endpoint management and security vendor polled 1000 CXOs to better understand how the pandemic has altered the risk landscape.

It revealed that identity and asset management (39%) and security strategy (39%) were the most common projects that had to be shelved. In the UK, anti-virus and malware sandboxing (37%) and networking zoning (36%) initiatives were most in danger of being delayed.

Patching was also a key challenge for many organizations, with 88% admitting they have experienced difficulties during the pandemic and a quarter (26%) claiming they have completely side-lined the practice. This is despite a huge Microsoft Patch Tuesday workload for admins over the past few months, including the largest ever set of CVEs issued in June.

Many CXOs Tanium polled seem to have had a false sense of confidence at the start of the crisis: 85% said they felt ready for the shift to remote working, but in the end 98% admitted they were caught off guard by security challenges in the first two months.

The top three challenges they faced were: identifying new personal computing devices (27%), overwhelmed VPNs (22%) and security risks to video conferencing (20%).

Further more, 90% of respondents revealed that cyber-threats had increased, with data exposure (38%), business email or transaction fraud (37%) and phishing (35%) the most common attacks.

Tanium CISO, Chris Hodson, argued that many organizations were unprepared for such an abrupt shift to remote working at the start of the pandemic.

“It may have started with saturated VPN links and a struggle to remotely patch thousands of endpoints, but the rise in cyber-attacks and critical vulnerabilities has made it apparent that we’re still far from an effective strategy for the new IT reality,” he added.

“IT leaders need to incorporate resilience into their distributed workforce infrastructure. A key part of this is making sure organizations have visibility of computing devices in their IT environment.”

Categories: Cyber Risk News

Dell EMC Patches iDRAC Vulnerability

Tue, 07/28/2020 - 19:15
Dell EMC Patches iDRAC Vulnerability

A vulnerability in the Integrated Dell Remote Access Controller (iDRAC) that could have allowed cyber-criminals to gain full control of server operations has been detected.

The controller was designed for secure local and remote server management to help IT administrators deploy, update, and monitor Dell EMC PowerEdge servers.

Path Traversal vulnerability CVE-2020-5366 was discovered by researchers Georgy Kiguradze and Mark Ermolov at Positive Technologies. It has a score of 7.1, reflecting a high degree of danger.

By exploiting the flaw, a remote authenticated user could turn the product on or off or change its cooling or power settings. Such actions may sound relatively harmless, but they could potentially eat into the profits of businesses already struggling as a result of the global pandemic. 

"If important services are running on these servers, that could cause them to become temporarily unavailable, potentially resulting in losses for businesses," said a Positive Technologies spokesperson. 

Kiguradze said that if attackers obtained the backup of a privileged user, they could use the vulnerability to block or disrupt the server's operation. 

He explained: “The iDRAC controller is used to manage key servers, effectively functioning as a separate computer inside the server itself. iDRAC runs on ordinary Linux, although in a limited configuration, and has a fully-fledged file system. The vulnerability makes it possible to read any file in the controller's operating system, and in some cases to interfere with operation of the controller (for instance during reading symbolic Linux devices like /dev/urandom)."

Researchers found that the vulnerability affects Dell EMC iDRAC9 controllers with firmware versions prior to and can be exploited internally or externally. 

"This attack can be performed externally—if an attacker has credentials, perhaps by bruteforcing, although this is unlikely given the product's anti-bruteforcing protections—or internally, such as with the account of a junior admin with limited access to the server,” said Kiguradze. 

iDRAC is offered as an option for almost all current Dell servers. Following the flaw's detection, Dell EMC has released updated firmware and urges users to install it as soon as possible.

Users are advised not to connect iDRAC directly to the internet but rather to place it on a separate administration network. 

Categories: Cyber Risk News

Operators of VHD Ransomware Unveiled

Tue, 07/28/2020 - 18:29
Operators of VHD Ransomware Unveiled

A state-sponsored threat group has created its own ransomware and is using it against large organizations for financial gain. 

New research published today by Kaspersky claims that a strain of ransomware named VHD that was first detected in the spring can be attributed to threat group Lazarus with "high confidence." 

Lazarus is a state-sponsored cyber-criminal organization operating with the support of North Korea.

The link between VHD and Lazarus was made during the analysis of a recent cyber-attack targeting businesses in France and Asia. Analysts found that the companies had simultaneously been hit with known Lazarus tools in conjunction with the newly created ransomware.  

Researchers subsequently concluded that it was Lazarus that had created the ransomware and that was now using it to hit large organizations, a practice known as big-game hunting. 

"The move by Lazarus to create and distribute ransomware signifies a change of strategy and indicates a willingness to engage in big game hunting in pursuit of financial gain, which is highly unusual among state-sponsored APT groups," said a Kaspersky spokesperson.

VHD ransomware was first reported on in March and April 2020, when it stood out due to its self-replication method. 

"This malware’s use of a spreading utility, compiled with victim-specific credentials, was reminiscent of APT campaigns," said Kaspersky. 

Researchers found that the attackers using VHD had used a backdoor that was a part of a multiplatform framework called MATA. A number of code and utility similarities link this platform to Lazarus. 

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. 

“The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors."

Kwiatkowski advised organizations to avoid becoming ransomware victims by taking preemptive action.

He said: "Organizations need to remember that data protection remains important as never before—creating isolated back-ups of essential data and investing in reactive defenses are absolute must-dos.”

A state-sponsored threat group has created its own ransomware and is using it against large organizations for financial game. 

New research published today by Kaspersky claims that a strain of ransomware named VHD that was first detected in the spring can be attributed to threat group Lazarus with "high confidence". 

Lazarus is a state-sponsored cyber-criminal organization operating with the support of North Korea.

The link between VHD and Lazarus was mooted during the analysis of a recent cyber-attack targeting business in France and Asia. Analysts found that the companies had simultaneously been hit with known Lazarus tools in conjunction with the newly created ransomware.  

Researchers subsequently concluded that it was Lazarus who had created the ransomware and who were now using it to hit large organizations - a practice known as big-game hunting. 

"The move by Lazarus to create and distribute ransomware signifies a change of strategy and indicates a willingness to engage in big game hunting in pursuit of financial gain, which is highly unusual among state-sponsored APT groups," said a Kaspersky spokesperson.

VHD ransomware was first reported on in March and April 2020 when it stood out due to its self-replication method. 

"This malware’s use of a spreading utility, compiled with victim-specific credentials, was reminiscent of APT campaigns," said Kaspersky. 

Researchers found that the attackers using VHD had used a backdoor that was a part of a multiplatform framework called MATA. A number of code and utility similarities link this platform to Lazarus. 

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. 

“The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors."

Kwiatkowski advised organizations to avoid becoming ransomware victims by taking pre-emptive action.

He said: "Organizations need to remember that data protection remains important as never before – creating isolated back-ups of essential data and investing in reactive defenses are absolute must-dos.”

Categories: Cyber Risk News

Accountability Concerns Main Reason Security Pros Want to Quit

Tue, 07/28/2020 - 16:31
Accountability Concerns Main Reason Security Pros Want to Quit

The main reason security professionals want to leave their jobs is a lack of executive accountability for strategic security decisions, according to new research.

A survey of more than 300 security professionals and executives around the world conducted by LogRhythm found that 42% of participants wanted to quit over inadequate executive accountability. 

The findings of the survey were published today in the report "The State of the Security Team: Are Executives the Problem?" LogRhythm commissioned the report to understand the root causes of the stress under which security teams operate, obtain feedback on how stress can be alleviated, and identify the best paths to remediation. 

Worryingly, the report revealed that 75% of security professionals feel they now experience more work-related stress than they did just two years ago.

“Now, more than ever, security teams are being expected to do more with less, leading to increasing stress levels. With more organizations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern,” said James Carder, CSO and VP of LogRhythm Labs. “This is a call to action for executives to prioritize alleviating the stress and better support their teams with proper tools, processes, and strategic guidance.”

When asked what causes the majority of work-related stress, the two most commonly given answers were not having enough time (41%) and working with executives (18%). More than half of respondents (57%) stated that their security program lacks proper executive support, defined in the survey as the provision of strategic vision, buy-in, and budget.

The top five responses given as to what would help alleviate workplace stress were an increased security budget (44%), experienced security team members (42%), better cooperation from other IT teams (42%), a supportive executive team (41%), and a fully staffed security team (39%). 

Other key findings of the survey were that 93% of security professionals felt they lack the tools to detect known security threats, and 92% said they do not have the appropriate preventative solutions to close current security gaps.

Only one in three companies (32%) said that they have a real-time security dashboard that provides a clear, consolidated view of all their security solutions.

Categories: Cyber Risk News

No More Ransom Initiative Reflects on Achievements on Fourth Anniversary

Tue, 07/28/2020 - 14:30
No More Ransom Initiative Reflects on Achievements on Fourth Anniversary

The No More Ransom Initiative has reached its fourth anniversary this month, having marked some considerable achievements in that time. According to one of the founders, Europol, the No More Ransom decryption tool repository has registered over 4.2 million visitors from 188 countries in the last four years, preventing an estimated $632m from getting into the hands of criminals.

The initiative was set up back in July 2016 as a collaboration between law enforcement and IT security companies to disrupt cyber-criminal businesses with ransomware connections. They set up an online portal that informs the public about the dangers of ransomware and helps victims to recover their data without having to pay a ransom to cyber-criminals.

The portal, which has added 28 new tools this year alone, is now capable of decrypting 140 different types of ransomware infections. The portal is also available in 36 languages.

From the founding members of the Dutch National Police, Europol, McAfee and Kaspersky, No More Ransom has now expanded to 163 partners from across the world.

Commenting on the anniversary, Fedor Sinitsyn, security expert at Kaspersky, said: “The success of the No More Ransom initiative is a shared success, one that cannot be achieved by law enforcement or private industry alone. By joining forces, we enhance our ability to take on the criminals and make it harder for them to harm people, businesses and critical infrastructure.

“What ransomware has taught us for sure is that prevention is no doubt better than a cure. Internet users need to avoid becoming a victim in the first place. Many relevant prevention tips are available on the No More Ransom website. If you do become a victim, it is important not to pay the ransom and report your infection to the police.”

John Fokker, head of cyber-investigations at McAfee, added: “Organizations should also remember to do their due diligence when it comes to securing systems and training employees: social engineering is still an incredibly efficient tactic for criminals looking to infect systems.

“Ultimately, when it comes to fighting ransomware, we will need to continue working together to keep pace with attackers – whether that’s coordination between public and private organizations, sharing of threat intelligence or education and training within individual businesses.”

Categories: Cyber Risk News

Garmin Confirms Cyber-Attack as Ransomware Recovery Rumored

Tue, 07/28/2020 - 12:50
Garmin Confirms Cyber-Attack as Ransomware Recovery Rumored

Garmin has finally admitted that its recent outage was caused by a cyber-attack.

In an update last week, the company initially said it was “experiencing an outage that affects flyGarmin and as a result, the flyGarmin website and mobile app are down at this time.” However, following rumors online that the company had actually suffered a ransomware attack, and that it had even paid a $10m ransom, the company has updated its statement to confirm that it suffered a “cyber-attack that encrypted some of our systems on July 23 2020.”

This resulted in many of its online services being interrupted, including website functions, customer support, customer facing applications and company communications. “We immediately began to assess the nature of the attack and started remediation.”

It said there was no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen and the functionality of Garmin products was not affected, and the only damage was to services which were taken offline. “Affected systems are being restored and we expect to return to normal operation over the next few days,” it added.

According to some reports, sources confirmed that the company had suffered a ransomware attack, and that it had been hit by WastedLocker, which SentinelOne explained was a “relatively new ransomware family which has been tracked in the wild since April/May 2020” and targets high-value companies.

Denis Legezo, senior security researcher at Kaspersky, said: “Technically speaking, WastedLocker is a targeted ransomware, which means its operators come for selected enterprises instead of every random host they can reach.

“The encryption algorithms in use are nothing special for ransomware: modern and strong. The ransomware’s operators add the victim company’s name in the ransom messages – the messages with information about how to contact the malefactors through secure e-mail services and the like. So it's pretty obvious they know for whom they came after.”

It was also reported by iThome that Garmin’s IT department sent a notice to various departments in Taiwan stating that internal IT servers and databases were attacked and production lines were also suspended for two days. Later it was rumored that the attackers had demanded a $10m ransom payment, and that Garmin had obtained the decryption key.

Categories: Cyber Risk News

Identity Governance Business Critical as Orgs Return to Work, Say IT Experts

Tue, 07/28/2020 - 12:00
Identity Governance Business Critical as Orgs Return to Work, Say IT Experts

The majority of IT experts believe that monitoring for cybersecurity threats will become more challenging over the next 18 months as organizations return to work from a variety of locations, with identity management key to cybersecurity success.

That’s according to a new survey from identity and cybersecurity firm SailPoint which discovered that 86% of IT experts in EMEA expect their organization’s number of Software-as-a-Service (SaaS) applications to grow over the next year-and-a-half, even as UK workers begin heading back to physical office spaces as the COVID-19 lockdown continues to ease.

Identity governance is therefore going to be business critical to effectively manage cybersecurity threats, the survey noted. In fact, 62% of respondents said they are considering expanding their organization’s identity platform over the next year to help meet the challenges ahead.

Ben Bulpett, EMEA director at SailPoint, said: “The shift to remote working has made it more difficult for IT teams to monitor the enterprise security perimeter, with hackers looking to take advantage of multiple user access points.

“For many companies, security and compliance gaps have surfaced in the rush to maintain business continuity, and it’s crucial these issues are resolved to ensure business survival. As organizations brace themselves for a new economic storm, identity governance is one of the tools that can help them navigate through the challenging times ahead.”

Whether employees continue working from home, return to the office with different responsibilities, or enter into a contract-based role, identity governance plays a crucial part in protecting the enterprise security perimeter, Bulpett added.

“Through this, IT teams can speed up the process of enabling and securing their users’ access to key applications, data and infrastructure, pivoting quickly as the business’ and users’ needs change.”

Categories: Cyber Risk News