Info Security

Subscribe to Info Security  feed
Updated: 32 min 17 sec ago

Most Organizations Not Prepared to Safely Support Home Working

Fri, 05/29/2020 - 14:05
Most Organizations Not Prepared to Safely Support Home Working

Most organizations are not sufficiently prepared to securely support remote working even though 84% intend to continue this practice beyond COVID-19 lockdowns, according to Bitglass’ 2020 Remote Workforce Report. The survey of IT professionals found that 41% of businesses have not taken any steps to expand secure access for the remote workforce, while 65% are allowing personal devices to access managed applications.

The study was undertaken to better understand how well businesses were prepared, from a cybersecurity perspective, for the sudden surge in remote working as a result of the pandemic.

Of those surveyed, 50% said lack of proper equipment was the biggest barrier to providing secure access for employees working from home. The types of applications that organizations were most concerned about securing were file sharing (68%), web applications (47%) and video conferencing (45%).

Malware was listed as the most concerning threat vector related to remote working by IT professionals (72%), followed by unauthorized user access (59%). Unsurprisingly, anti-malware was the most utilized security tool for remote work, at 77%. However, there was a lack of deployment of tools like single sign-on (45%), data loss prevention (18%) and user and entity behaviour analytics (11%).

“This research indicates that many organizations are not implementing the security measures necessary to protect their data in the current business environment,” commented Anurag Kahol, CTO of Bitglass. “For example, while respondents said that the pandemic has accelerated the migration of user workflows and applications to the cloud, most are not employing cloud security solutions like single sign-on, data loss prevention, zero trust network access or cloud access security brokers.

“On top of that, 84% of organizations reported that they are likely to continue to support remote work capabilities even after stay at home orders are lifted. To do this safely, they must prioritize securing data in any app, any device, anywhere in the world.”

Another worrying aspect of the study was that 63% of respondents believed remote working would impact their compliance with regulatory mandates, with 50% citing GDPR specifically.

Categories: Cyber Risk News

NSA: Russian Military Sandworm Group is Hacking Email Servers

Fri, 05/29/2020 - 10:40
NSA: Russian Military Sandworm Group is Hacking Email Servers

The US National Security Agency (NSA) has released a new alert warning that Russian state hackers have been exploiting a vulnerability in Exim email servers for over nine months.

Exim is mail transfer agent (MTA) software developed by the University of Cambridge which is used on Unix-based operating systems. Bundled with many popular Linus distributions like Red Hat and Debian, it’s thought to run on millions of email servers globally.

However, the NSA warned that organizations which have failed to patch CVE-2019-10149, which was fixed in June 2019, may be at risk of attack from the infamous Sandworm group.

“The actors exploited victims using Exim software on their public facing MTAs by sending a command in the ‘MAIL FROM’ field of an SMTP (Simple Mail Transfer Protocol) message,” the advisory stated.

“An unauthenticated remote attacker can send a specially crafted email to execute commands with root privileges allowing the attacker to install programs, modify data, and create new accounts.”

Specifically, when CVE-2019-10149 is exploited by Sandworm, the targeted machine downloads and executes and shell script from a domain under the group’s control. This script will in turn attempt to: add privileged users, disable network security settings, update SSH configuration to enable additional remote access and execute an additional script to enable follow-on exploitation.

The NSA urged organizations to upgrade their Exim installations to 4.93 or newer, and use network-based security appliances to detect and/or block CVE-2019-10149 exploit attempts.

Staffed by operatives from the Russian GRU (military intelligence) Main Center for Special Technologies (GTsST), field post number 74455, Sandworm is known to be one of the most sophisticated state hacking outfits around.

It has been widely linked to the BlackEnergy malware used in attacks on Ukrainian power stations in 2015 and 2016, which caused major outages during winter, as well as campaigns against NATO members and European governments in 2019.

Categories: Cyber Risk News

Revealed: Advanced Java-Based Ransomware PonyFinal

Fri, 05/29/2020 - 09:15
Revealed: Advanced Java-Based Ransomware PonyFinal

Microsoft has warned of a new type of data stealing Java-based ransomware, dubbed PonyFinal.

PonyFinal is what Microsoft describes as “human-operated ransomware” — to distinguish it from commoditized variants that are distributed in an automated way by hackers.

The tech giant’s Security Intelligence group revealed in a series of tweets this week that the first stage involves access to a targeted organization via brute force attacks against the systems management server.

A VBScript is deployed to run a PowerShell reverse shell which enables data exfiltration to a C&C server over Port 80. The attackers also deploy a remote manipulator system to bypass event logging.

“In certain cases, the attackers deploy Java Runtime Environment (JRE), which the Java-based PonyFinal ransomware needs to run. However, evidence suggests that attackers use information stolen from the systems management server to target endpoints with JRE already installed,” Microsoft continued.

Thus, if organizations already have JRE on their systems, they may be blind to any attack.

“The PonyFinal ransomware is delivered through an MSI file that contains two batch files and the ransomware payload,” Microsoft continued. “UVNC_Install.bat creates a scheduled task named 'Java Updater' and calls RunTask.bat, which runs the payload, PonyFinal.JAR.”

According to Microsoft, PonyFinal encrypts files at a specific date and time and, like similar “human-operated” ransomware attacks, it is likely that those wielding it will bide their time to wait for the most opportune moment to deploy the payload.

In the case of recent attacks on hospitals, that was in early April when many healthcare organizations were battling a peak of COVID-19 admissions.

Microsoft recommends that organizations reduce their attack surface by ensuring internet-facing assets are up-to-date with patches, especially VPNs and other remote access infrastructure, and conducting regular audits of misconfigurations and vulnerabilities.

For PonyFinal in particular it is recommended to scan for brute force activity.

Categories: Cyber Risk News

Over 600 NTT Customers Hit in Major Data Breach

Fri, 05/29/2020 - 08:20
Over 600 NTT Customers Hit in Major Data Breach

One of the world’s largest telecoms and IT services companies has revealed that attackers may have stolen data from its internal systems, affecting over 600 customers.

NTT Communications provides cloud, network and data center services to some of the world’s biggest companies. Its parent, NTT Group, is ranked in the top 100 of the Fortune Global 500.

The firm claimed in a lengthy statement on Thursday that it detected unauthorized access to its Active Directory (AD) server on May 7, confirming the attack four days later.

Although an English language version of the notice has yet to be published, it appears that hackers first compromised a cloud server (labelled server B by the firm) located in its Singapore data center, before using it as a stepping stone to attack another internal server (server A) and its AD server.

Attackers also jumped from server B to compromise an information management server (server C) used to service NTT's cloud and hosting customers.

It is server C which NTT Communications claimed attackers may have breached to steal data on 621 customers.  

The firm said it is taking steps to mitigate the incident and prevent anything similar happening in the future.

Just last week, NTT warned in its annual Global Threat Intelligence Report that the technology sector was the most attacked worldwide in 2019.

It claimed that hackers are increasingly using “multi-function attack tools” and artificial intelligence/machine learning capabilities, as well as automation techniques, to increase their chances of success. Over a fifth (21%) of attacks globally featured some form of vulnerability scanner, it said.

The type of NTT customer data stolen by hackers in May and the techniques used to compromise servers and move laterally inside its network are unclear at this stage.

Categories: Cyber Risk News

Comedian Arrested for Cybercrime over Face Swap

Thu, 05/28/2020 - 17:34
Comedian Arrested for Cybercrime over Face Swap

Tanzanian comedian Idris Sultan has been arrested after posting a face-swap photo on social media involving his president. 

Earlier this month, Sultan shared images of himself and of Tanzanian president John Pombe Magufuli in which the faces of each subject had been swapped over. One of the pictures shows Sultan posing on a presidential chair with the national seal, while the other shows the president's face on the comedian's body.

Sultan's lawyer, Benedict Ishabakaki, said the comedian and radio show host was summoned by police on May 19 and questioned over a possible violation of a law against cyberbullying.

According to news agency the AFP, Sultan was subsequently charged with a lesser offense related to using a SIM card registered in someone else's name.

Sultan, a former show winner of the TV series Big Brother Africa, was released from police custody on May 27 after posting bail of 15 million Tanzanian shillings (more than $6,000).

His hearing was attended by his sister and vocalist Lulu Diva and by the singer Lady Jay Dee. 

The comedian's release comes the day after opposition leaders and activists launched a Twitter campaign to demand that the case against Sultan be dismissed. 

Sultan is no stranger to Tanzania's legal system. In October last year, the comedian was arrested for photoshopping President Magufuli’s face onto a picture of himself and sharing it with his 5 million followers on social media.

The comedian said that he had shared the photo in good faith as a way to celebrate the president's birthday on October 29. 

Sultan said: “I had no ill intentions; I was just wishing the president a happy birthday. If the president did not like my birthday message, I apologize."

Following his foray into photoshopping, Sultan was accused of violating Tanzania's Cybercrimes Act, which forbids the use of a computer to impersonate someone else. After being questioned over his alleged intent to "coerce, intimidate, harass or cause emotional distress," the comedian was eventually released without charge.

Magufuli took office in 2015 as a corruption-fighting "man of the people" but has been criticized for his authoritarian leadership style. According to Human Rights Watch and Amnesty International, there is a "shrinking space for freedom of expression" in Tanzania.

Sultan's latest case is due to be heard in court on June 9.  

Categories: Cyber Risk News

DoD Contractors Team Up with HPE on Ransomware-Stopper

Thu, 05/28/2020 - 16:48
DoD Contractors Team Up with HPE on Ransomware-Stopper

Hewlett Packard Enterprise (HPE) has announced the inclusion of RackTop Systems' BrickStor SP in its Complete program. 

BrickStor SP is a data security software platform that boldly claims to eliminate the threat of ransomware attacks and data breaches. The platform was built by Department of Defense intelligence community veterans charged with protecting the United States’ data while meeting the nation's data security compliance regulatory requirements.

HPE plans to resell RackTop BrickStor SP software with its own ProLiant and Apollo Servers to meet the high-security file-storage needs of  ]the federal government.

RackTop Systems CEO Eric Bednash said a prevailing failure to update their cybersecurity tools is making organizations in the United States vulnerable to cyber-attacks.  

“Enterprises and government entities are losing the cyber-war because they are using old tools and 90’s design standards which are largely focused on stopping network infiltration, rather than protecting data," said Bednash.

"Based on our experience, most of the bad guys are already inside the network today."

Explaining how RackTop's platform works to block ransomware attacks, Bednash said: “BrickStor attacks the problem properly by securing unstructured data at its source so that it can’t be seized, maliciously encrypted, or exploited. 

"Together with HPE and their world class secure and versatile hardware, for the first time, customers can achieve end-to-end infrastructure security from a single vendor without gaps or loosely coupled bolt-ons.”

Rapid and unstructured data growth can result in information's not being stored securely, making an organization vulnerable to cyber-attackers. Chris Powers, VP, Collaborative Platform Development, HPE Storage and Big Data, said RackTop tackles this issue by embedding its security and compliance software within a scalable data-storage system for unstructured files, protecting it at the source.

“BrickStor SP fills a high data security need in the storage market. We are entering a new era in IT infrastructure where security and compliance are a necessity,” said Powers.

“RackTop’s storage software and security platform is a natural fit with our ProLiant and Apollo Servers which feature silicon-anchored, cradle-to-grave security. Together we bring our Federal Government customers a complete Zero Trust data security solution.”

Categories: Cyber Risk News

IT Leaders Overestimate Staff's Commitment to WFH Security

Thu, 05/28/2020 - 16:18
IT Leaders Overestimate Staff's Commitment to WFH Security

IT leaders who trust their employees to follow security best practices while working from home are sadly overoptimistic.  

According to new research published today by email security firm Tessian, while 91% of IT leaders believe their staff are doing their best to work securely from home, 52% of employees believe toiling from home means they can get away with riskier behavior.

Tessian surveyed 2,000 employees across the US and the UK as well as 250 IT decision-makers to examine the state of data loss within organizations. Researchers also set out to learn how data loss is impacted by employees working remotely. 

The survey revealed that 48% of employees cite “not being watched by IT” as the number one reason for not following safe data practices when working from home. The second excuse given for working on the wild side was "being distracted."

While such results might lead one to conclude that tighter controls are needed to maintain security, Tim Sadler, CEO and co-founder of Tessian, said that this tactic would not work on its own.

"Business leaders need to address security cultures and adopt advanced solutions to prevent employees from making the costly mistakes that result in data breaches and non-compliance," said Sadler.

"It’s critical these solutions do not impede employees’ productivity though. We’ve shown that people will find workarounds if security gets in the way of them doing their jobs, so data loss prevention needs to be flexible if it’s going to be effective.” 

Researchers found that IT leaders in the US underestimate how many of their employees' emails are misdirected. While IT leaders in US organizations with over 1,000 employees estimate that 480 emails are sent to the wrong person every year, the real figure recorded by Tessian platform data is 1.6 times higher.

More than half of survey respondents―51%―said security policies were impeding their productivity, while 54% said that they will find workarounds if security policies stop them from doing their jobs. 

Compared to the UK, workers in the US were much more likely to act in way that could jeopardize the security of their company. Employees in the US were twice as likely to send an email to the wrong person and twice as likely to take company documents home with them when they leave a job.

Categories: Cyber Risk News

Intelligence Gateway Launches to Compile Malicious #COVID19 URLs

Thu, 05/28/2020 - 16:15
Intelligence Gateway Launches to Compile Malicious #COVID19 URLs

An internet intelligence gateway has been established to analyze and compile malicious URLs related to COVID-19.

With thousands of newly created COVID-19-related malicious websites launching every day, the gateway accepts submissions of suspicious URLs or emails, providing a lookup service that taps into RiskIQ’s infrastructure to analyze and compile malicious URLs related to COVID-19. Submissions are analyzed by RiskIQ’s systems and each malicious URL is added to RiskIQ blacklists through community participation.

Over a two-week period, RiskIQ noted 317,000 new websites related to COVID-19. 

“Our goal with the gateway is to help the security community work together in our response to the influx of criminal activity,” said RiskIQ CEO Lou Manousos. “The COVID-19 Internet Intelligence Gateway will be a powerful resource for keeping organizations safe during this crisis.”

The gateway will also allow security teams to block blacklists of known bad infrastructure to immediately protect their organizations from new campaigns leveraging the COVID-19 crisis.

Also newly launched is a COVID-19 Chrome Extension, which allows users to submit suspect URLs, host names or domains to RiskIQ for “crawling” purposes. Reports will include detailed information from the crawl, including referenced pages, screenshots and classification of content.

In April, it was reported that 18 million malware and phishing Gmail messages related to COVID-19 were detected by  Google’s Threat Analysis Group per day, in addition to more than 240 million COVID-related daily spam messages.

It detected examples including fake solicitations from charities and NGOs, messages trying to mimic employer communications and employees working from home, along with websites posing as official government pages and public health agencies.

Categories: Cyber Risk News

C-Level Executives the Weakest Link in Organizations’ Mobile Security

Thu, 05/28/2020 - 15:45
C-Level Executives the Weakest Link in Organizations’ Mobile Security

C-suite executives are the people most susceptible to mobile-based cyber-attacks in businesses, according to a study from MobileIron. The report, entitled Trouble at the Top found that while these executives are highly targeted by cyber-criminals in attacks on organizations, they are also more likely than anyone else to have a relaxed attitude to mobile security.

In the analysis, research from 300 enterprise IT decision makers across Benelux, France, Germany, the UK and the US was combined with findings from 50 C-level executives from the UK and the US. It revealed that many C-level executives find mobile security protocols frustrating, with 68% feeling IT security compromises their personal privacy, 62% stating it limits the usability of their device and 58% finding it too complex to understand.

As a result of these issues, 76% of C-suite executives had asked to bypass one or more of their organization’s security protocols last year. This included requests to: gain network access to an unsupported device (47%), bypass multi-factor authentication (45%) and obtain access to business data on an unsupported app (37%).

“These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach,” commented Brian Foster, SVP product management, MobileIron. “Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, multi-factor identification – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-suite execs.” 

To exacerbate this issue, IT decision makers included in the study overwhelmingly stated that C-suite is the group most likely to both be targeted by (78%), and fall victim to (71%), phishing attacks.

Foster added: “These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols.”

Categories: Cyber Risk News

Cyber-Criminals Impersonating Google to Target Remote Workers

Thu, 05/28/2020 - 14:44
Cyber-Criminals Impersonating Google to Target Remote Workers

Remote workers have been targeted by up to 65,000 Google-branded cyber-attacks during the first four months of 2020, according to a new report by Barracuda Networks. The study found that Google file sharing and storage websites were used in 65% of nearly 100,000 form-based attacks the security firm detected in this period.

According to the analysis, a number of Google-branded sites, such as storage.googleapis.com, docs.google.com, storage.cloud.google.com and drive.google.com, were used to try and trick victims into sharing login credentials. Google-branded attacks were far in excess of those impersonating Microsoft, with the sites onedrive.live.com, sway.office.com and forms.office.com making up 13% of attacks.

Other form-based sites used by attackers included sendgrid.net (10%), mailchimp.com (4%) and formcrafts.com (2%).

Overall, the use of the Google brand by cyber-criminals to trick users appears to be increasing: Barracuda Networks observed Google-brand impersonation attacks represented 4% of all spear-phishing attacks during the first four months of 2020. This figure is expected to rise, as it has proved to be successful in the harvesting of credentials.

Steve Peake, UK systems engineer manager, Barracuda Networks, outlined: “Brand-impersonation spear-phishing attacks have always been a popular and successful method of harvesting a user’s login credentials, and with more people than ever working from home, it’s no surprise that cyber-criminals are taking the opportunity to flood people’s inboxes with these scams. The sophistication of these attacks has accelerated in recent times: now, hackers can even create an online phishing form or page using the guise of legitimate services, such as forms.office.com, to trick unsuspecting users.”

There has been a substantial rise in phishing attacks recently as a result of the increase in people working from home during the COVID-19 pandemic, with security systems and practices difficult to maintain for many businesses in these circumstances.

Barracuda Networks added that security methods such as multi-factor identification and email security software are especially vital for organizations at this time.

Categories: Cyber Risk News

Check Point Unmasks Hacktivist Who Defaced Nearly 5000 Sites

Thu, 05/28/2020 - 10:01
Check Point Unmasks Hacktivist Who Defaced Nearly 5000 Sites

Security researchers are claiming victory after unmasking an infamous hacktivist who defaced nearly 5000 websites in more than 40 countries over the past few years.

The individual, known online as “VandaTheGod” on Twitter, took to social media to publicize his exploits, sometimes under aliases such as “Vanda de Assis” and “SH1N1NG4M3,” according to Check Point.

This activity first alerted the security firm to his presence, and also provided a trail of clues which ultimately led them to his real identity: an individual living in the south-eastern Brazilian municipality of Uberlandia.

Active since 2013, the hacktivist never reached his stated personal goal of compromising over 5000 websites. However, thousands of government, academic and corporate sites were apparently defaced with anti-government and social justice messages thanks to his work.

In the last year, over half (57%) were located in the US — where victims included the official website of the state of Rhode Island and the city of Philadelphia — while Australia and the Netherlands rounded out the top three targeted countries.

VandaTheGod was also active in his home country, defacing a Brazilian government website with the hashtag #PrayforAmazonia, in response to the increase in rainforest clearing approved by right-wing President Bolsonaro.

However, his motives weren’t always so altruistic, and occasionally strayed into theft of credit card details and log-ins. VandaTheGod is said to have attempted to breach details from public figures, universities and even hospitals — one on occasion offering to sell the medical records of one million New Zealand patients for $200 per record.

“This case highlights the level of disruption that a single, determined individual can cause internationally. Although ‘VandaTheGod’s’ motive originally seemed to be protesting against perceived injustices, the line between hacktivism and cybercrime is thin,” argued Check Point manager of threat intelligence, Lotem Finkelsteen. 

“We often see hackers taking a similar path from digital vandalism to credentials and money theft as they develop their techniques. Revealing the person’s true identity and disclosing it to law enforcement should put an end to their extensive disruptive and criminal activities.”

Categories: Cyber Risk News

Ransomware Demands Soared 950% in 2019

Thu, 05/28/2020 - 08:45
Ransomware Demands Soared 950% in 2019

Ransomware operators had another standout year in 2019, with attacks and ransom demands soaring according to new data from Group-IB.

The Singapore-based security vendor claimed that, after a relatively quiet 2018, ransomware was back with a vengeance last year, as attack volumes climbed by 40%.

As large enterprises became an increasing focus for attacks, ransom demands also soared: from $8,000 in 2018 to $84,000 last year. That’s a 950% increase.

The “greediest ransomware families with highest pay-off” were apparently Ryuk, DoppelPaymer and REvil, the latter on occasion demanding $800,000.

As mentioned, last year saw an increasing number of attackers focus their efforts on larger targets, often using sophisticated APT-style tactics, according to Group-IB. This included trojans such as Dridex, Emotet, SDBBot, and Trickbot to compromise victims and post-exploitation frameworks such as Cobalt Strike, CrackMapExec , PowerShell Empire, PoshC2, Metasploit, and Koadic to gather info on the targeted network. Data theft also became a popular way to force payment.

Phishing emails continued to be the number one initial threat vector, alongside RDP compromise and websites infected with exploit kits, the security vendor added.

“The year of 2019 was marked by ransomware operators enhancing their positions, shifting to larger targets and increasing their revenues, and we have good reason to believe that this year they will celebrate with even greater achievements,” said Group-IB senior digital forensics specialist, Oleg Skulkin.

“Ransomware operators are likely to continue expanding their victim pool, focusing on key industries, which have enough resources to satisfy their appetites. The time has come for each company to decide whether to invest money in boosting their cybersecurity to make their networks inaccessible to threat actors or risk being approached with ransom demand and go down for their security flaws.”

Ransomware operators have indeed picked up where they left off at the end of 2019, launching a blizzard of attacks against firms struggling to adapt to mass remote working, as well as hospitals fighting COVID-19.

According to Coveware, the average ransom paid in the first three months of the year surged by 33% quarter-on-quarter. However, contrary to Group-IB’s analysis, it claimed that despite the “big game hunting” narrative, most victims are likely to be SMBs.

The average number of employees in ransomware victims was 625 in Q1, with the median a much smaller 62.

Categories: Cyber Risk News

#COVID19 Drives Dealers Online as Drugs Supply Soars

Thu, 05/28/2020 - 08:10
#COVID19 Drives Dealers Online as Drugs Supply Soars

The supply of dark web drugs soared nearly 500% over the first few months of this year as dealers took to the internet to continue trading, according to new data from Sixgill.

The cyber-intelligence company monitors multiple underground sites and forums for its customers.

It reported that although the supply of malware, phishing kits, and stolen accounts has been pretty steady over the past 12 months, that of illegal drugs has spiked recently as government lockdowns forced individuals off the streets.

The firm claimed that the number of items for sale in December 2019 stood at 4154, but this had risen to 24,719 by April 2020 — an increase of 495%.

MDMA postings apparently grew 224%, cannabis postings were up 555%, and cocaine posts spiked 1000% over the period.

“Feedback, while an imperfect metric for purchase volume, is a reliable indicator of the rate of transactions,” Sixgill explained. “Feedback volume for cannabis, cocaine, and MDMA all nearly doubled over the past half year.”

However, despite this surge in online supply and a likely uptick in sales, the underground market was not immune to the same dynamics as legitimate economic sectors.

“As with all online shopping, shipping delays occurred, with dark web chatter suggesting that slower delivery times dinged the reputations of vendors among a cynical customer base that’s always vigilant for scammers. Though the rise in chatter and concerns was temporary, it did make both vendors and consumers more conscious of the risks of international shipping for illegal goods,” the security firm explained.

“While supply surged, demand lagged and never caught up, rising later and at a slower pace. That led to a 10-fold surge in mentions of ‘bargains’ and ‘discounts’ in early 2020. That’s not only a response to oversupply, but a reaction to consumers’ precarious economic situation during the economic freeze.”

Categories: Cyber Risk News

New York Teen Masterminds $23.8m Crypto Heist

Wed, 05/27/2020 - 19:23
New York Teen Masterminds $23.8m Crypto Heist

An American cryptocurrency investor is suing a New York high school senior over the theft of $23.8m in digital currencies.

Michael Terpin has filed a civil complaint against 18-year-old Ellis Pinsky alleging that in 2018, at the tender age of 15, Pinsky masterminded a plot to defraud Terpin out of millions.

Pinsky was allegedly the leader of what Terpin described as a "gang of digital bandits" who stole from multiple victims after using SIM swapping to gain control of their smartphones.

None of the teen's alleged co-conspirators were named in the complaint, in which Terpin accuses them and Pinsky of racketeering and computer fraud. 

Terpin claims that, after hijacking the native wallet on his BlackBerry, Pinsky cockily bragged to his peers that he would get away with his cybercrime. 

“On the surface, Pinsky is an ‘All American Boy,’” Terpin said in a complaint filed May 7 in a federal court in White Plains, New York. “The tables are now turned.”

In May last year, Terpin won a $75.8m civil judgement in a California state court in a related case against an alleged associate of Pinsky, Nicholas Truglia, who has faced criminal hacking charges. Now Terpin is gunning for Pinsky, seeking triple damages of $71.4m.

According to Reuters, court records show that Terpin is also suing his carrier AT&T Mobility in Los Angeles for $240m. 

To his classmates at Irvington High School, Pinsky was an unremarkable individual who achieved decent grades and liked playing soccer. 

At the time of the alleged crypto-heist, Pinsky was living in a $1.3m home he shared with his family. An anonymous insider told the New York Post that Pinsky explained his newfound wealth to his parents by saying that he had gotten lucky making Bitcoin online through video games.  

The teen allegedly used the stolen money to travel by private jet, purchase an Audi R8, and splash out on the latest sneakers. 

Pinsky's attorney, Noam Biale, told the New York Post: “Ellis was a child at the time of the alleged conduct. . . . It is deeply unfortunate that Mr. Terpin has chosen to bring [a] lawsuit, full of smears and baseless allegations, for no imaginable purpose other than spite.”

Categories: Cyber Risk News

Data Breach at Bank of America

Wed, 05/27/2020 - 17:09
Data Breach at Bank of America

Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP). 

Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.

The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information. 

Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.

Bank of America, which is headquartered in Charlotte, North Carolina, said that access to the information was limited. 

In a breach notification document, a spokesperson for the bank said: "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."

The bank neglected to share any specifics of which applicants were affected by the breach, stating only that it was a "small number" of clients. The exposed data was drawn from a pool of nationwide applications, meaning that businesses in multiple states may have been impacted.

More than 305,000 PPP relief applications have been processed by Bank of America with the SBA.

Upon discovering the breach, the bank asked the Small Business Administration to remove the visible information. According to the filing, the SBA resecured the exposed data within one day of its being accidentally exhibited. 

The bank said that the PPP application and submission processes were not affected by the cybersecurity mishap. An internal investigation has been launched to determine how the data came to be exposed. 

Bank of America is offering clients affected by the breach free two-year membership of Experian's identity theft protection program.

Categories: Cyber Risk News

Thais Ditch Twitter for Blockchain-Based Social Network Minds

Wed, 05/27/2020 - 16:07
Thais Ditch Twitter for Blockchain-Based Social Network Minds

Thais are deserting Twitter in favor of the blockchain-based social networking tool Minds.

Minds is a free and open source distributed social networking service that gives users ERC20 tokens that can be used to promote content or crowdfund other users. Tokens are awarded based on the time a user spends accessing the service and the number of interactions that they have.

The platform was founded in 2011 and is headquartered in Wilton, Connecticut. Unlike some social media platforms that are moving toward increased censorship, Minds describes its content policy as "based on the First Amendment and governed by a community jury in order to minimize bias and censorship."

Minds founder Bill Ottman told Coconuts Bangkok that the platform saw a spike of 100,000 new Thai users in a single day last week, causing the service to crash temporarily. According to Minds, there are now more than 200,000 Minds users in Thailand.

Ottman said: “We are thrilled to provide privacy, internet freedom and digital rights for Thai netizens. This is exactly the reason Minds exists.”

Among the Thai Twitter users to defect to Minds was prominent writer and social critic Sarinee Achavanuntakul. Her final tweet, posted on May 21, read, “Say goodbye to Twitter and meet at Minds.”

Twitter became popular in Thailand as a way for citizens to speak their minds anonymously in a country where speech is harshly restricted and the lese-majeste law forbids the insulting of the monarchy. 

Journalists who criticize Thailand's military rule are detained by the government and subjected to what the Committee to Protect Journalists describes as "attitude adjustment sessions."

According to Quartz, Thais have "grown wary and distrustful of Twitter over a recent string of developments on the platform that sparked privacy concerns."

One such development was an update to Twitter's privacy policy on May 19, giving the platform permission to share device-level data like a user's IP address with its business partners. 

The update came days after Twitter announced in a blog post that the company had launched an official Twitter Thailand account and partnered with the Thai government and local NGOs.

Achavanuntakul said in recent months, young users "who have been critical of the monarchy” on Twitter have received visits from the police at home.

Categories: Cyber Risk News

UK Energy Operators Join the European Network for Cybersecurity

Wed, 05/27/2020 - 14:41
UK Energy Operators Join the European Network for Cybersecurity

The National Grid Gas Transmission (NGGT) and National Grid Electricity Transmission (NGET) in the UK have become the newest members of the European Network for Cybersecurity (ENCS), in a move designed to better protect the European energy sector against cyber-attacks. The NGGT and NGET will now engage in information sharing regarding cyber-threats with a number of major utility organizations across Europe. 

The ENCS already works on cybersecurity in electricity and gas across Europe, both at the distribution and transmission levels. In addition to sharing expertise, energy organizations that are part of the group collaborate on capacity building, conduct training and provide security testing and standards for a range of components such as smart meters.

The NGGT and NGET are both part of National Grid plc, which is one of the world’s largest investor-owned energy utilities, and works to deliver electricity and gas safely and efficiently to customers in the UK.

Anjos Nijk, managing director of the ENCS, commented: “The National Grid already ranks among the most sophisticated transport system operators (TSOs) in terms of cybersecurity, and by joining the ENCS, it demonstrates its commitment to that improving even further – and of course, brings a wealth of experience to the table that our members will benefit from.

“The energy sector is only becoming more interconnected, and it is vital those of us looking to protect it do the same.”

The NGGT and NGET become the first UK-based organizations to join the ENCS.

Paul Lee, engineering manager for cyber and control systems at National Grid, added: “We have robust cybersecurity measures in place across all our operational infrastructure and IT to protect against cyber-threats, but our membership will help us to benefit from the ENCS knowledge base as we share information with other members, contributing to increased protection across all critical infrastructure.”

The energy sector has been a frequent target of cyber-criminals. Last month, it was claimed that energy firm EDP was hit with a €10m ransomware threat.

Categories: Cyber Risk News

Nearly One Fifth of Law Firms Show Signs of Compromise

Wed, 05/27/2020 - 12:31
Nearly One Fifth of Law Firms Show Signs of Compromise

Cybersecurity experts are calling for the legal sector to be defined as critical to securing national infrastructure, after revealing that 100% of law firms were targeted by attackers in the first quarter of 2020.

BlueVoyant appraised thousands of law firms worldwide between January and March 2020, to compile its latest report, Sector 17 – The State of Cybersecurity in the Legal Sector.

Of those targeted, some 15% are likely to have been compromised while nearly half showed signs of suspicious activity, including malicious proxy use, it said.

The near-$1 trillion sector is a prime target for financially motivated attacks as well as nation state actors looking for sensitive information they can use to make money or leverage geopolitically.

The report details examples of ransomware threats, financial data and PII theft, third-party risks, password breaches, insider leaks and hacktivism.

These include stand-out cases such as the 2016 Panama Papers breach of law firm Mossack Fonseca, the 2017 ‘ransomware’ outage at DLA Piper caused by NotPetya, and this year’s Luanda Leaks breach which revealed incriminating evidence on the former President of Angola.

BlueVoyant, a firm which counts former GCHQ director Robert Hannigan as its chairman, wants the sector to be added to the 16 others defined by the Department of Homeland Security as critical to securing national infrastructure, resources and resiliency.

“The stakes could not be higher. While the legal sector is performing well in comparison to the other 16 sectors, attacks against law firms constitute some of the most sensational and damaging cyber-attacks in history. We have already seen how recent incidents can cause substantial geopolitical fallout, not to mention tremendous direct and indirect financial repercussions for law firms,” argued CEO Jim Rosenthal.

“Threat actors are aggressively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, notwithstanding industry-leading efforts, law firms have been successfully compromised.”

Categories: Cyber Risk News

DNS Traffic Analysis Detects Hidden DDoS Attacks

Wed, 05/27/2020 - 10:03
DNS Traffic Analysis Detects Hidden DDoS Attacks

New research has found a measurable increase in DNS cache miss traffic levels, and a number of previously unknown DDoS events.

According to Farsight Security, analysis of DNS cache miss traffic levels over the two-month period of March-April 2020 revealed “a macroscopic phenomenon.” The analysis was done over 300 domains for leading travel and transportation, retail, streaming video, higher education and news and partisan opinion sites.

Using its DNSDB intelligence solution, Farsight said that it looked at daily DNS transactions for over 300 sites and when reviewing traffic for these sites, it looked at the DNS cache miss traffic for all hostnames under a given delegation point. This revealed some websites experiencing spikes in volume, which Farsight stated represent denial of service (DDoS) attack traffic reflexively targeting unrelated third-party sites.

It said at least two distinct reflective DDoS attack patterns took place among the studied sites: one pattern type which appeared to be purely associated with abusive DNS SOA (Start of Authority) queries, and a second pattern type which melds abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records.

Also some sites experienced spikes in volume that were so large that the spikes caused most of the “normal variation” in traffic volume to “wash out” due to the dominance of the spike or spikes.

Dr. Paul Vixie, chairman, CEO and co-founder of Farsight Security, said whilst headlines focused on a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention. “Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses,” he said.

Farsight also discovered a step up pattern in traffic, typically reflecting a four-to-seven-times increase in DNS cache miss traffic levels, across most or all verticals during the same period.

To reduce the risk of DDoS events, Farsight recommended that nameserver vendors ship their products with Response Rate Limiting (RRL) enabled by default. Farsight also recommended all authoritative name server operators confirm that their current configurations have RRL enabled. 

Categories: Cyber Risk News

Trump Election Tweet Labelled Fake News

Wed, 05/27/2020 - 09:30
Trump Election Tweet Labelled Fake News

Donald Trump has decided to pick a fight with Twitter after one of his posts on the upcoming election was labelled misleading by the social media platform.

The original tweet claimed that Mail-In (postal) ballots during the November Presidential election would be “substantially fraudulent.”

The issue has become a partisan one of late, as Democrats push for voters to have the option of mailing in their votes to avoid the risk of COVID-19 infection at the polling booth. They claim that otherwise, millions of voters may be disenfranchised as they stay at home.

Many Republicans, including Trump, believe higher voter turnouts enabled by postal voting would give their opponents an advantage, as groups that would otherwise stay home are more likely to vote Democrat.

Twitter labelled Trump’s tweet with a clickable blue notification stating "get the facts about mail-in ballots," which takes them to a page debunking the false assertion that postal votes lead to election fraud.

Unsurprisingly, Trump hit back, branding Twitter’s response as stifling free speech and interfering in the 2020 election.

In fact, many commentators have argued that Twitter has been too easy on Trump in recent months and years, saying that his status and 80 million followers have given him carte blanche to say things that others would be blacklisted for.

Twitter’s decision can be seen in the context of its newly updated policy on misleading information. Because the propensity for harm was judged “moderate” in this case, the platform merely labelled Trump’s tweet, but if that rating is upped to “severe” then future posts could be removed.

Either way, the incident is likely to be just the first of many ahead of the election as Trump seeks to fire up his base with increasingly outlandish statements on social media.

Categories: Cyber Risk News

Pages