Info Security

Subscribe to Info Security  feed
Updated: 2 hours 44 min ago

Over 460,000 E-Retailer User Accounts Hacked

Tue, 05/14/2019 - 17:42
Over 460,000 E-Retailer User Accounts Hacked

Fast Retailing Co., Asia’s largest retailer, released a statement acknowledging that hackers likely gained access to the personal information of nearly half a million Uniqlo and GU brand e-commerce portal users.

“It was confirmed on May 10, 2019 that an unauthorized login by a third party other than the customer occurred on the online store site operated by our company. Although the number of targets and the situation may change according to the progress of the future survey, we will report the facts confirmed at present and our response,” according to a translation of the company's statement.

“This fraudulent login was performed from April 23 to May 10, 2019 by the method of 'list-type account hacking (list-type attack),' and the number of accounts logged-in illegally as of the present is 461,091. We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”

Not only are the password owners at risk, but e-commerce businesses with user login pages are also at risk of being the next company to suffer a breach, according to Rami Essaid, co-founder of Distil Networks.

“Data breaches like Uniqlo create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” Essaid said.

First there is “the massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website," Essaid continued. "While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”

Insecure web applications continue to plague e-commerce businesses because retailers limit their application security efforts and often overlook the most obvious risks and threats, said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Cyber-criminals will now increasingly target retailers from developed countries within the APAC region, as Western retailers are better protected and are also suffering from an economic slowdown.

“Application security should start with a holistic inventory and risk assessment to enable well-informed decisions. Afterwards, continuous security monitoring is vital to ensure agile development processes and timely addressing of any new security and privacy issues.”

Categories: Cyber Risk News

Over 460 Million E-Retailer User Accounts Hacked

Tue, 05/14/2019 - 17:42
Over 460 Million E-Retailer User Accounts Hacked

Fast Retailing Co., Asia’s largest retailer, released a statement acknowledging that hackers likely gained access to the personal information of nearly half a million Uniqlo and GU brand e-commerce portal users.

“It was confirmed on May 10, 2019 that an unauthorized login by a third party other than the customer occurred on the online store site operated by our company. Although the number of targets and the situation may change according to the progress of the future survey, we will report the facts confirmed at present and our response,” according to a translation of the company's statement.

“This fraudulent login was performed from April 23 to May 10, 2019 by the method of 'list-type account hacking (list-type attack),' and the number of accounts logged-in illegally as of the present is 461,091. We deeply apologize to our customers and stakeholders for any inconvenience or concern. We will strive to further enhance security and ensure safety so that similar events do not occur.”

Not only are the password owners at risk, but e-commerce businesses with user login pages are also at risk of being the next company to suffer a breach, according to Rami Essaid, co-founder of Distil Networks.

“Data breaches like Uniqlo create huge spikes in bot traffic on the login screens of websites, as hackers cycle through enormous lists of stolen passwords. Password dumps create a ripple effect of organizations spending precious time and resources on damage control,” Essaid said.

First there is “the massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website," Essaid continued. "While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”

Insecure web applications continue to plague e-commerce businesses because retailers limit their application security efforts and often overlook the most obvious risks and threats, said Ilia Kolochenko, founder and CEO of ImmuniWeb. “Cyber-criminals will now increasingly target retailers from developed countries within the APAC region, as Western retailers are better protected and are also suffering from an economic slowdown.

“Application security should start with a holistic inventory and risk assessment to enable well-informed decisions. Afterwards, continuous security monitoring is vital to ensure agile development processes and timely addressing of any new security and privacy issues.”

Categories: Cyber Risk News

Equifax Has Spent Nearly $1.4bn on Breach Costs

Tue, 05/14/2019 - 10:55
Equifax Has Spent Nearly $1.4bn on Breach Costs

Equifax has incurred losses so far of over $1.35bn from a devastating 2017 breach which affected more than half of all Americans and millions of UK consumers, the firm revealed in its latest financials.

The credit agency claimed in its Q1 2019 earnings statement that the figure “related to the incident, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.”

The firm has recouped the maximum possible $125m, minus $7.5m, from an insurance policy, and claims that breach costs for the rest of this year will be less than those for 2018.

However, the first three months of 2019 saw the company shell out $82.8m for “technology and data security,” $12.5 for “legal and investigative fees,” and $1.5m for product liability. The largest sum ($690m) was listed as “accrual for legal matters” related to the 2017 breach.

As well as the $786.8m listed for Q1 2019, the firm detailed $68.7m it spent in Q1 2018.

Its technology and data costs “include incremental costs to transform our technology infrastructure and improve application, network, data security, and the costs of development and launch of Lock and Alert,” it explained. These include people, services and direct product costs.

The legal costs relate to payments to lawyers and professional services companies to investigate the incident and respond to legal, government, and regulatory investigations and claims. Product liability costs relate to its paying for free credit monitoring for customers.

The latest revelations can be seen as a cautionary tale of what happens when organizations fail to implement adequate cybersecurity.

The 2017 breach itself stemmed from exploitation of a known Apache Struts 2 flaw which was left unpatched. The subsequent exfiltration of data over several months compromised highly sensitive credit and personal information on over half of all American adults (148m) and 15 million UK consumers, as well as around 20,000 Canadians.

Although the UK’s ICO fined the firm the maximum £500,000 under the old regime, Equifax could have been hit with a penalty orders of magnitude greater if the incident had occurred after May 2018, when the GDPR came into effect.

Categories: Cyber Risk News

Nine Charged in $2m SIM Swap Conspiracy

Tue, 05/14/2019 - 09:22
Nine Charged in $2m SIM Swap Conspiracy

Nine men have been charged for their alleged role in a major SIM swapping operation designed to bypass log-in security to steal millions in cryptocurrency from their victims.

Dubbed “The Community” by investigators, the group of individuals in their teens and 20s includes six alleged cyber-criminals and three former employees of mobile phone companies who are said to have helped them.

The former are charged with conspiracy to commit wire fraud, wire fraud and aggravated identity theft, while the latter are charged with wire fraud in relation to the conspiracy.

They all hail from the US, apart from Conor Freeman, 20, of Dublin.

The SIM swapping conspiracy they are said to have been involved in will be familiar to industry watchers.

First, the group gains control of a victim’s mobile phone number, either by bribing an employee of a carrier, or posing as the victim and tricking a customer service operative into swapping the number to a SIM controlled by the group.

They then use control of the phone to unlock digital currency accounts, for example by intercepting the 2FA codes often send by SMS.

The defendants are alleged to have executed seven attacks that resulted in the theft of cryptocurrency valued at around $2.4m.

“Mobile phones today are not only a means of communication but also a means of identification,” stated US attorney Matthew Schneider. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

SIM swapping cases are becoming increasingly common. Last November, a Manhattan man was charged with allegedly stealing over $1m from various business executives.

In August last year, a US entrepreneur and cryptocurrency investor filed a $223m lawsuit against AT&T after a store employee allegedly helped fraudsters steal $24m of his digital funds, in another SIM swap attack.

Categories: Cyber Risk News

WhatsApp Finds and Fixes Targeted Attack Bug

Tue, 05/14/2019 - 08:55
WhatsApp Finds and Fixes Targeted Attack Bug

WhatsApp is urging its global users to update their app after fixing a serious remote code execution (RCE) vulnerability which was being exploited in a highly targeted attack, potentially by a nation state.

The Facebook-owned mobile comms giant, which has over 1.5 billion users, rolled out a fix on Friday for the buffer overflow vulnerability in WhatsApp VOIP stack. It claimed the flaw allowed RCE “via specially crafted series of SRTCP packets sent to a target phone number.”

In effect, this means a user could be infected with the spyware payload simply by being phoned by the attacker. They don’t even have to pick up.

“The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15,” a technical note revealed.

WhatsApp’s own security team is said to have found the bug, although it has been reported that it was initially discovered and monetized by notorious Israeli firm NSO Group, whose Pegasus spyware has been sold to governments in the past to help them monitor individuals.

The firm refused to name who it suspected, saying only that it was the work of an “advanced cyber actor,” that attacks exploiting the flaw had targeted a “select number” of users, and that it bore “all the hallmarks” of a private firm that works with governments to deliver spyware targeting mobiles.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up-to-date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” WhatsApp said in a statement sent to Infosecurity.

For its part, NSO Group reiterated in reports that its wares are only licensed to governments for the purpose of fighting crime and terror.

Chris Boyd, Malware Intelligence Analyst at Malwarebytes, argued the findings were “enormously worrying for anyone using WhatsApp on a phone alongside sensitive information.”

“The really impressive thing here is that the WhatsApp team discovered this attack at all, given no click to install is required,” he added.

WhatsApp has briefed NGOs to share any useful information, presumably to protect citizens from countries that may have been affected, and it has informed US law enforcers.

Categories: Cyber Risk News

Malicious Attacks Cause of Most Aussie Breaches

Mon, 05/13/2019 - 17:22
Malicious Attacks Cause of Most Aussie Breaches

Malicious or criminal attacks accounted for nearly twice as many data breaches as those resulting from human error during the first quarter of 2019, according to the Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OAIC).

The report, published today, marks the start of Australia’s Privacy Awareness Week. “By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” said OAIC commissioner Angelene Falk, according to today’s press release.

Of the 215 data breach notifications in the first quarter of 2019, 61% were caused by malicious actors, while human error was to blame for only 35% of the total breaches. "Malicious or criminal attacks differ from human error breaches in that they are deliberately crafted to exploit known vulnerabilities for financial or other gain. Many incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on a phishing email or by using social engineering or impersonation to obtain access to personal information fraudulently," the report said.

An additional 4% were the result of some system fault, the report said. Cyber-criminals reportedly targeted contact information most frequently, followed by financial details, identity information and health information.

While the report noted that a single data breach reportedly affected more than 10 million individuals, “data breaches impacting between one and 10 individuals comprised 50 percent of the notifications."

Additionally noteworthy is that the 215 notifications shows a decline in the number of data breaches reported in previous quarters, yet 86 of the data breach reports were received in March 2019. While the second quarter of 2018 had 242 notifications, the final quarter of last year had a total of 262 notifications.

“Our report shows a clear trend towards the human factor in data breaches – so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.

“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.

“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity – transparency and accountability.”

Categories: Cyber Risk News

ScarCruft APT Develops Malware to Target Bluetooth

Mon, 05/13/2019 - 16:17
ScarCruft APT Develops Malware to Target Bluetooth

Researchers have been monitoring the Korean-speaking threat actor known as ScarCruft and have reportedly discovered that new tools are being developed. According to Kaspersky Lab, ScarCruft is testing tools using code that can identify connected Bluetooth devices in order to steal information from targeted victims.

In addition, researchers reported that they observed similarities between the victims of ScarCruft’s most recent threat campaigns and those victims of the notorious Korean-speaking DarkHotel group.

“The ScarCruft group uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). As in Operation Daybreak, this actor performs sophisticated attacks using a zero-day exploit. However, sometimes using public exploit code is quicker and more effective for malware authors. We witnessed this actor extensively testing a known public exploit during its preparation for the next campaign,” researchers wrote.

Believed to be state-sponsored actors that target government entities and organizations that do business in the Korean peninsula, the ScarCruft advanced persistent threat (APT) is evolving. Evidence suggests the APT has been delving into the mobile device territory and is testing new exploits that indicate a particular resourcefulness. The group has adapted legitimate tools and services, adding those to its cyber-espionage operations.

“This is not the first time we have seen ScarCruft and DarkHotel overlap,” said Seongsu Park, senior security researcher, Kaspersky Lab global research and analysis team, in a press release. “They have similar interests in terms of targets but very different tools, techniques and processes. This leads us to believe that one group regularly lurks in the shadow of the other. ScarCruft is cautious and likes to keep a low profile, but it has shown itself to be a highly skilled and active group, with considerable resourcefulness in the way it develops and deploys tools. We strongly believe that it will continue to evolve.”

ScarCruft launches its attacks using either spear-phishing or ‘watering-hole’ (strategic website compromise) attacks, which are then followed by a first-stage infection. The threat actors are able to evade detection at the network level using steganography malware that hides the malicious code in an image file.

Categories: Cyber Risk News

Lawmakers Propose Cyber Training for Congress

Mon, 05/13/2019 - 16:12
Lawmakers Propose Cyber Training for Congress

A bipartisan bill proposed last week by New York representatives Kathleen Rice (D) and John Katko (R), who co-sponsored the act, requires members of Congress to receive annual cybersecurity and IT training.

The Congressional Cybersecurity Training Resolution of 2019 adds to the existing requirement that House employees receive annual training by mandating that the House members themselves also receive cybersecurity and IT training, according to The Hill.

“The chief administrative officer shall carry out an annual information security training program for members (including the delegates and resident commissioner), officers, and employees of the House,” the act states.

“We strongly encourage support for the Congressional Cybersecurity Training Resolution,” said Jack Koziol, CEO and founder at Infosec. “Cyber-criminals are responsible for hundreds of billions of dollars’ worth of damage to the global economy and undermine democracy around the world. We know people empowered with the right training and education are the ultimate defense against cybercrime. Arming our members of Congress with this information gives them an opportunity to lead by example and also helps create a culture of protection awareness for our data-dependent society.”

Any new members, delegates, resident commissioners, officers, or employees of the House will also be required to receive training within 30 days of onboarding to the House. “Not later than January 31 of each year, each officer and employee of the House shall file a certification with the chief administrative officer that the officer or employee completed an information security training program,” the act states.

Cyber-attacks continue to pose a growing and vexing threat at nearly every level of government and congressional offices are no exception,” Rice told The Hill. “If we want to effectively counter those threats, then we need to make sure members of Congress are equipped with the tools and knowledge to play an active role in this fight."

While it is encouraging to see that lawmakers are looking to improve cybersecurity training to house members, Shlomi Gian, CEO at CybeReady, said it is unfortunate to realize that they are a few years behind when it comes to best practices.

“In the past few years, the majority of organizations that fell prey to cyber-attacks did have an annual training in place, which proved to be useless when a real attack was launched. The average human brain does not have the capacity to memorize facts taught during a single, relatively long annual training. A better training practice includes on-the-spot training that is triggered when we have the employee's full attention – at the moment that the employee fails to detect a simulated attack – we call this the golden moment and careless employees do not forget it quickly.”

Categories: Cyber Risk News

WannaCry Remains a Global Threat Two Years On

Mon, 05/13/2019 - 11:35
WannaCry Remains a Global Threat Two Years On

WannaCry ransomware remains a global threat two years on from the initial outbreak of the attack in May 2017.

That’s according to new analysis from Malwarebytes, which discovered that a total of 4,826,682 WannaCry detections have been identified since the malware variant first wreaked havoc.

Although WannaCry variants detections have been subdued since the global kill switch was activated, they have far from disappeared. Malwarebytes’ research showed that Eastern countries are most at risk from WannaCry; the majority of detections since its initial spread landed in India (727,883), Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814). In the UK, there have been 17,185 detections since the initial attack took place, with just 41 incidents recorded since April 1 2019. In contrast, other countries have continued to register large numbers of detections in the same period; India (19,777), Indonesia (19,192) and the US (3325), for instance.

Malwarebytes also warned that hundreds of thousands of systems globally are still vulnerable to EternalBlue and EternalRomance, exploits that WannaCry used to propagate and spread, and that malware authors are using mechanisms that allowed WannaCry to spread so rapidly to launch a new generation of devastating trojans, such as Emotet and TrickBot, in order to target businesses.

Adam Kujawa, director of Malwarebytes Labs, said: “Two years since WannaCry brought many organizations, including the NHS, to a standstill, there has been a steady decrease in detections globally – but these still number in the hundreds of thousands.

“There are still so many WannaCry detections because there are still samples wandering the internet, and while the URL used as the ‘global kill switch’ has been registered – neutering much of the threat WannaCry poses – there are still many incidents where it is successfully exploiting the distribution methods we originally saw in May 2017.”

Kujawa pointed out that the most concerning issue is the new generation of trojans that are taking advantage of the same mechanisms that enabled WannaCry to cause so much damage, in an attempt to do the same thing.

“There are millions of systems out there that are vulnerable to these vicious forms of malware; businesses and consumers alike should make updating their systems regularly a top priority,” he added.

Categories: Cyber Risk News

ICO Calls Out HMRC for Illegal Biometric Data Collection

Mon, 05/13/2019 - 10:03
ICO Calls Out HMRC for Illegal Biometric Data Collection

The HMRC has been handed an enforcement notice by the UK’s privacy watchdog after contravening the GDPR over collection of biometric data from taxpayers.

In the first case of its kind since the EU-wide legislation was introduced, the Information Commissioner’s Office (ICO) called out the government agency over its Voice ID authentication system.  

A complaint from rights group Big Brother Watch had argued that callers to the HMRC helpline were not given enough information about the service, there was no option to opt-out, and consent was not properly obtained from them to record their voice biometrics.

The commissioner claimed in her judgement that there was a significant imbalance of power between organization and individual, a data protection impact assessment (DPIA) was not in place before the system launched, and “little or no consideration to the data protection principles when rolling out the Voice ID service.”

The HMRC has now been ordered to delete any data it holds on taxpayers which was obtained without their consent.

Although the scale of the infringement was great — with over seven million voice records saved — the ICO decided not to impose a fine because it judged that the contravention was not likely to cause any persons “damage or distress.” It also noted the HMRC’s retrospective attempts to obtain explicit consent from users.

If the HMRC refuses to comply with the enforcement notice, the ICO has the power to fine it the maximum GDPR penalty of £17m or 4% of global annual turnover.

“This is the first enforcement action taken in relation to biometric data since the advent of GDPR when, for the first time, biometric data was specifically identified as special category data that requires greater protection,” said ICO deputy commissioner for policy, Steve Wood.

“Our guidance on informed consent provides advice for organizations planning to use these kinds of systems and we are currently developing our guidance on biometric data.”

Categories: Cyber Risk News

SMS Spammers Expose 80 Million Records Online

Mon, 05/13/2019 - 09:35
SMS Spammers Expose 80 Million Records Online

The administrators of an SMS spam operation left an unsecured MongoDB instance wide open online, exposing over 80 million records linked to their ‘leads,’ according to researchers.

Bob Diachenko revealed the discovery in a blog post late last week, claiming the MongoDB instance was named “ApexSMS” and left without password protection.

“Upon further research it was identified that the MongoDB instance name ApexSMS is also the name of an SMS Bombing program with the same name that is highly advertised on hacker or black hat forums,” he continued.

“What is SMS Bombing? Typically, cell phone users send one message at a time. However, an SMS bomber is a software program that duplicates the same message multiple times or rotates different messages and sends all the messages to a number of your choice. This can be used for pranks, harassment, or in this case marketing products or services.”

The database of 80 million records uncovered by Diachenko included MD5 hashed emails; full names; city/state/country/postcode; IP address; phone number; carrier network for mobile and landline/mobile.

It also included the messages used in the campaign to trick recipients into clicking on links by pretending to be friends or family. Plus, it recorded any text responses from victims.

Diachenko also suggested the administrators of the campaign may be linked to cloud-based SMS platform Mobile Drip, which claims to offer legitimate high-volume mobile marketing services.

The database itself was “quietly secured” a few days after he discovered it.

Tom Davison, EMEA director at Lookout, argued that unsolicited communications represent a challenge for the end user in validating the reputation of the sender without exposing themselves to further risk.

“If individuals come across a similar campaign or they are unsure of the sender, then the advice remains the same to never click on any links in texts or share personal details,” he added.

“In addition, a mobile endpoint security solution that assesses web and content risk removes this uncertainty and allows for safer interactions."

Categories: Cyber Risk News

US Indicts Chinese Man for Anthem Breach

Mon, 05/13/2019 - 09:01
US Indicts Chinese Man for Anthem Breach

The US authorities have charged a Chinese man for his role in the massive 2015 information-stealing raid on health insurer Anthem, which affected nearly 79 million customers.

Fujie Wang, 32, and another man charged as John Doe, have been indicted for attacks on four US businesses, including a “basic materials” firm, a tech company and a communications business.

According to the court documents unsealed last week in Indianapolis, the two are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.

They are alleged to have sent spear-phishing emails to employees in the targeted businesses, of which only Anthem has been named. Once users clicked on a malicious link, a backdoor was covertly downloaded to give the hackers remote access to the corporate network.

They then waited several months before performing reconnaissance work on Anthem’s data warehouse in October and November 2014. Once the sough-after data was found, in January 2015 it was placed into encrypted archive files and exfiltrated before being sent to China.

The files were then deleted from the victim networks to avoid detection, according to the Department of Justice (DoJ).

Wang is alleged to have controlled two domain names linked to the campaign, including one domain name associated with a backdoor used to attack one business, and another linked to an email account used to spear-phish victims of a separate targeted company.

Personally identifiable data (PII) on around 78.8 million Anthem customers was stolen, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data.

The breach is still one of the biggest ever recorded in the healthcare sector. In 2017 Anthem agreed to pay $115m to settle lawsuits brought by customers, in what lawyers at the time said was the largest ever settlement for a data breach.

However, the firm admitted no wrongdoing during that case, and it was praised by officials last week for its incident response following the attack.

“Anthem's cooperation and openness in working with the FBI on the investigation of this sophisticated cyber-attack was imperative in allowing for the identification of these individuals. This also speaks to the strong partnerships the FBI has with the private sector, as well as the tenacity and global reach of the Bureau,” said special agent in charge Grant Mendenhall. 

“It should also be noted that the speed with which Anthem initially notified the FBI of the intrusion on their networks was also a key factor in being able to determine who was responsible for the breach and should serve as an example to other organizations that might find themselves in a similar situation.”

There have been suggestions that the attack was state-sponsored, as an Anthem spokesperson in 2017 claimed there was no evidence that any of the data was sold or used in identity fraud. However, the real motives remain a mystery for now.

Categories: Cyber Risk News

DHS Releases Analysis of ELECTRICFISH Malware

Fri, 05/10/2019 - 18:28
DHS Releases Analysis of ELECTRICFISH Malware

In an attempt to reduce exposure and enable network security, the Department of Homeland Security (DHS) in collaboration with the Federal Bureau of Investigation (FBI) has released a report analyzing a North Korean traffic tunneling tool named ELECTRICFISH.

The DHS and FBI have identified a malware variant used by the North Korean government, yet another indication of the continued threat from nation-state actors, particularly the malicious cyber activity of the North Korean government, also known as HIDDEN COBRA.

“This alert by US-CERT reveals a simple piece of malware which creates a backdoor to provide the attacker direct access to the affected system. Using a custom protocol, likely to help it evade detection from typical network monitoring tools, ELECTRICFISH can pass data or accept an inbound connection that bypasses all system authentication,” said Nathan Wenzler, senior director of cybersecurity at Moss Adams.

According to the analysis, ELECTRICFISH is a command-line tool that accepts arguments for configuring the destination and source IPs and ports, a proxy IP, and a username and password for authenticating with a proxy server.

“The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session,” the US CERT alert said.

Authenticating with a proxy server is a feature that “allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”

The malware’s primary purpose is to funnel traffic between two IP addresses. “This type of connection, using a custom protocol instead of existing protocols like HTTP, is what we refer to as hidden tunnels and is used for command and control of remote systems, as well as for data exfiltration,” said Chris Morales, head of security analytics at Vectra.

“Hidden tunnels used as part of a targeted attack are meant to slip by an organization’s perimeter security controls and indicate a sophisticated attacker. These malicious actors will especially use hidden tunnels in vertical markets where they are also used for approved business applications. Hidden tunnels are used by stock ticker applications commonly found in financial services firms and by cloud access service brokers (CASB) that organizations in multiple industries use.”

Categories: Cyber Risk News

Photo App Develops Tool with User Images

Fri, 05/10/2019 - 17:54
Photo App Develops Tool with User Images

Photo storage app Ever failed to get consent from users who uploaded millions of images to the service before it adopted the images as tools to train a commercial facial recognition system, according to NBC News.

Without disclosing their use of the images to users of the app, Ever also reportedly offered to sell that facial recognition technology to private companies, law enforcement and the military.

“What began in 2013 as another cloud storage app has pivoted toward a far more lucrative business known as Ever AI – without telling the app’s millions of users,” wrote NBC News.

The story has raised a lot of privacy questions around whether photo-based apps should be using photo data submitted by end users to train facial recognition systems without end user consent, even in cases where identifying information about users isn’t shared.  

“Users need to consent to be training data. Faces are one of the most personal things we have, and faces can have legitimate reasons for not wanting to be included in surveillance training systems,” said Miju Han, director of product management at HackerOne.

“That doesn’t even touch the representation problems that can come from unevenly distributed demographics. Apple did the ‘right thing’ in developing faceID – they paid a representative sample of users who consented to being a part of the program to develop a successful algorithm in a privacy-forward way.”

At issue is what the users understand and fail to understand about what happens to the data they choose to upload on any service. “Unless they go through the terms of service in detail, they do not have guarantees about how their data is used. For example, people need to think deeply about whether or not they would want to upload their genetic data to test it for additional markers. Even if there are protective terms, a data breach could put their genetic code in the hands of anyone interested in it,” Han said.

Categories: Cyber Risk News

Top Russian Hacking Group Breaches Three AV Companies

Fri, 05/10/2019 - 17:50
Top Russian Hacking Group Breaches Three AV Companies

A report published today by Advanced Intelligence revealed that three US-based antivirus software vendors have been breached, and a high-profile collective of Russian hackers is claiming responsibility.

Using a credential-stuffing botnet, the known international cybercrime group has reportedly stolen more than 30 terabytes of data from the networks of three U.S.-based antivirus firms. Advanced Intelligence research disclosed that “Fxmsp,” a collective of hackers who speak both Russian and English, has also advertised that access to both the source code and networks of three US-based antivirus software vendors can be purchased for $300,000. The hackers have also providing evidence to validate their claims.

“Cyber-attackers long ago discovered that the easiest way to gain access to sensitive data is via weak, default or otherwise compromised credentials,” said Dr. Torsten George, cybersecurity evangelist at Centrify.

“The reality is that guessing passwords is easier than going up against technology. In fact, a recent Centrify study found that privileged credential abuse is involved in almost three out of every four breaches. Privileged account access provides cyber adversaries with the keys to the kingdom and a perfect camouflage for their data exfiltration efforts.

“It’s well past time to adopt a zero-trust approach, powered by additional security measures such as multifactor authentication (MFA) and privilege elevation, to stay ahead of the security curve. MFA is the lowest-hanging fruit for protecting against compromised credentials.”

The news evidences the reality that no organization is impervious to an attack. “Even security companies aren’t immune from breaches,” said Tim Erlin, VP, product management and strategy at Tripwire.

“They certainly have sensitive data to protect. They may not be targeted as often because the data they have is harder to monetize. Source code for any security product, antivirus included, is valuable to attackers working on ways to circumvent controls or avoid detection. If an attacker knows the internals of how security tools work, they can build exploits to avoid them more easily.”

Categories: Cyber Risk News

Only 0.25% of Reported Data Breaches Have Led to Fines Since GDPR

Fri, 05/10/2019 - 09:45
Only 0.25% of Reported Data Breaches Have Led to Fines Since GDPR

New data has discovered that a minute percentage of data breaches closed by the Information Commissioner’s Office (ICO) since the GDPR came into force have resulted in monetary punishments.

According to research from personal data security platform Digi.me, of 11,468 self-reported data breach cases handled by the ICO between May 25 2018 and the end of March 2019, just 29 penalties were handed out – a percentage of 0.25% – and none of them have been under the GDPR but rather the previous Data Protection Act, 1998.

The data, obtained by Digi.me under the Freedom of Information Act, also showed that 37,798 data protection concerns have been raised by members of the public since the GDPR came into force. That figure is almost three-times the number of actual data breach cases investigated by the ICO since May 25 2018.

Julian Ranger, founder of digi.me, said: “There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.”

Digi.me’s analysis of the data revealed that the sectors with the most self-reported data breach cases include health, education and finance. The sensitive nature of the data collected by these sectors will only heighten existing concerns about personal data usage, Digi.me said.

Ranger continued: “Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organization that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”

Jake Moore, cybersecurity specialist at ESET, added: “With data breaches being at an all-time high, organizations need an extra push to get their ducks in a row. The lack of monetary penalties is only going to discourage those companies that are making all the internal changes required to comply with GDPR laws while others are having their cake and eating it too. The appropriate level of enforcement is required to make the needle move; therefore the ICO must practice what it preaches.” 

However, an ICO spokesperson said: “We are a proportionate and pragmatic regulator, our work is not just about fines – we prefer education to enforcement but will take our strongest action against those that wilfully, negligently or consistently flout the law.”

Categories: Cyber Risk News

Only 0.25% of Reported Data Breaches Have Led to Fines Under GDPR

Fri, 05/10/2019 - 09:45
Only 0.25% of Reported Data Breaches Have Led to Fines Under GDPR

New data has discovered that a minute percentage of data breaches closed by the Information Commissioner’s Office (ICO) since the GDPR came into force have resulted in monetary punishments.

According to research from personal data security platform Digi.me, of 11,468 self-reported data breach cases handled by the ICO between May 25 2018 and the end of March 2019, just 29 GDPR penalties were handed out – a percentage of 0.25%.

The data, obtained by Digi.me under the Freedom of Information Act, also showed that 37,798 data protection concerns have been raised by members of the public since the GDPR came into force. That figure is almost three-times the number of actual data breach cases investigated by the ICO since May 25 2018.

Julian Ranger, founder of digi.me, said: “There is a clear problem with individuals and businesses over-reporting to the ICO. This data demonstrates the extent to which the ICO is inundated by concerns from businesses and the public, the vast majority of which are not serious enough for any kind of penalty or even to warrant an investigation.”

Digi.me’s analysis of the data revealed that the sectors with the most self-reported data breach cases include health, education and finance. The sensitive nature of the data collected by these sectors will only heighten existing concerns about personal data usage, Digi.me said.

Ranger continued: “Businesses and individuals are clearly unsure what constitutes a serious breach of sensitive data. There is no public confidence that personal data is being handled responsibly – any organization that collects personal data should put an informed consent process in place, which has the double benefit of putting individuals back in control of their personal data while also being fully compliant with regulation.”

Categories: Cyber Risk News

Americans Overly Confident in Cyber Hygiene

Thu, 05/09/2019 - 15:29
Americans Overly Confident in Cyber Hygiene

Americans in every state are overconfident in their cybersecurity coverage, with the majority of consumers expressing confidence they are taking appropriate steps to protect themselves, according to the 2019 report published by Wakefield Research and commissioned by Webroot.

The Cyber Hygiene Risk Index, published on May 8, found that 88% of consumers expressed confidence in their own cyber hygiene. Only one in three users, however, reported knowing what the most common forms of cyber-attack are (malware and phishing) or how they work, and many report security habits that leave them dangerously exposed.

The riskiest states – the ones in which consumers are most at risk for cyber-attack – are Mississippi, Louisiana, California, Alaska, and Connecticut. But even the safest states – New Hampshire, North Dakota, Ohio, Idaho, and Kentucky – scored an average of a D rating, with a score of 65% on the states’ scorecard.

The biggest offenses in cyber hygiene include reusing passwords for multiple accounts (63% of Americans), failing to use the “private” setting on social media (64%), and falling for phishing attempts (53%).

There are some superstars of cyber hygiene in every state. This small group (5%) shares the following best practices:

  • They back up their data using both online and offline systems.

  • They pay for their antivirus software (not relying on free options), and they keep it up to date.

  • They use a VPN, ID protection, and secure password management services.

Compared to the overall American population, these superstars of cybersecurity hygiene are more likely to be Boomers; be married or in a relationship and live in the suburbs and are less likely to be parents.

"While Americans averaged a 60% result (D grade), this could be easily improved with some small changes to their online habits.,” said Tyler Moffitt, senior threat research analyst at Webroot. “One of the most shocking (and damaging to grade) habits we saw was the lack of precaution taken when clicking on links or attachments in emails. Louisiana, one of the riskiest states, had 44% of respondents report they did not take ANY precautions when clicking on links or attachments in emails. This behavior is really playing with fire, as our 2018 Threat Report showed 82% of all malicious internet traffic is from malspam phishing emails. Ninety percent of ransomware infections originate from phishing emails, so users really need to be careful.

"Consumers should be aware that emails creating a sense of urgency to click on links or attachments, usually by saying you’re being sued or missed a package, are often malicious. Even if the attachment at first seems like a harmless Word Document or Excel spreadsheet, this is usually just another trick. When opened, the Office attachment almost always asks you to 'enable content.' Consumers should never do this, as it is a macro that will allow malware to infect the computer. Simple education around the common attack vectors, like this one, will go a long way into making consumers more secure in their online habits."

Categories: Cyber Risk News

Blockchain Useful, Not Without Issues, Says ISF

Thu, 05/09/2019 - 15:00
Blockchain Useful, Not Without Issues, Says ISF

The Information Security Forum (ISF) released its latest briefing paper, Blockchain and Security: Safety in Numbers, which identifies security issues associated with developing and deploying blockchain applications.

The organization’s latest briefing paper is intended to aid those involved in blockchain deployment to better understand the benefits and risks of the main components of a blockchain network so that they can determine and then address security requirements by applying a secure systems development life cycle (SDLC) that supports live blockchain application, according to a May 8 press release.

While the assumption is that blockchain is secure because of its anonymity, the technology is not free from risks, which is why the briefing paper sets for the potential security issues that need to be considered before organizations rush to deploy applications using blockchain technology.

“Blockchain’s indelible and visible record provides many advantages. However, this record does not render blockchain immune from security issues,” said Steve Durbin, managing director, ISF, in the release.

“Many of the security issues associated with developing and operating any application – such as managing an implementation, providing acceptable technical support and training staff – are still applicable to blockchain. The main security issues specific to blockchain relate to breaches of the integrity of the ledger and individuals performing malicious or fraudulent transactions.”

The paper points to a paramount concern rooted in the reality that, at this time, blockchain risks are particularly acute because of the technology’s presumed security rooted in the belief that its consensus algorithms are robust. Many also assume that the content of the blockchain ledger is both immutable and irrefutable and that its underlying cryptography is secure enough to last the life of a blockchain application.

Blockchain has been, and will continue to be, put to different uses, yet ISF said the technology may not always be the best solution to a problem.  

“While there may be a commercial advantage from being at the forefront of adopting blockchain, prudent organizations should be aware that blockchain is immature and unforeseen security issues may emerge,” continued Durbin. “Consequently, organizations should place a particularly strong emphasis on evaluating the risks of developing or using blockchain applications before trusting this innovative approach.”

Categories: Cyber Risk News

Fin7 APT Targets Over 130 Orgs after Leader's Arrest

Thu, 05/09/2019 - 13:49
Fin7 APT Targets Over 130 Orgs after Leader's Arrest

Despite the arrest of alleged group leaders, the advanced persistent threat (APT) group known as Fin7/Carbanak has reportedly been using GRIFFON malware to target approximately 130 companies, according to Kaspersky Lab.

According to a recent investigation conducted by experts at Kaspersky, the cyber gang launched spear-phishing campaigns throughout 2018, successfully distributing the malware through emails. Over the course of weeks, operators exchanged messages with their unsuspecting victims. After establishing this trusted connection, the bad actors delivered malicious documents as attachments.

“The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018,” researchers wrote.

Researchers observed evidence of collaboration with the AveMaria botnet and other groups known as either CobaltGoblin or EmpireMonkey. In addition, experts reported that the malicious actors created a fake company disguised as a legitimate cybersecurity vendor. The website of this fake organization, though, is apparently registered to the same server that the hacking group uses as a command and control center.

The groups are reportedly using the fraudulent company to recruit unsuspecting freelance vulnerability researchers, program developers and interpreters through online job sites. Researchers suspect that some of those who were hired by this fake company did not suspect that the organization was conducting illicit activity as the employees listed the business on their résumés.

“Modern cyberthreats can be compared to the mythical creature Hydra of Lerna – you cut off one of its heads and it grows two new ones,” said Yury Namestnikov, security researcher at Kaspersky Lab, in the May 8 press release.

“Therefore, the best way to protect yourself from such actors is to implement advanced, multi-layered protection: install all software patches as soon as they are released and do regular security analysis across all networks, systems and devices.”

Categories: Cyber Risk News

Pages