Video and web communications provider Zoom has announced the addition of a new layer of security to its platform – two-factor authentication (2FA).
As explained in a blog post on the company’s website, Zoom’s enhanced 2FA makes it easier for admins and organizations to protect their users and prevent security breaches whilst using the platform.
The announcement follows previous actions taken by Zoom to bolster the security of its service, which have included making available free end-to-end encryption for all users and hiring numerous experienced security experts to provide tailored expertise.
“Zoom’s 2FA within our unified communications platform provides a secure way to validate users and protect against security breaches and provides a number of benefits.” Zoom said these include improved security, enhanced compliance, reduced costs and easier credential management.
With Zoom’s 2FA, users have the option to use authentication apps that support time-based one-time password protocol or have Zoom send a code via SMS or phone call, as the second factor of the account authentication process.
Commenting on the news, Niamh Muldoon, senior director of trust and security at OneLogin, said: “This is a necessary development, considering the recent increase in Zoom usage over the last few months and the number of zoom-bombing episodes that have ensued. However, security is a two-way street. In order for this to be effective, users will need to enable the use of 2FA.”
Over two-fifths (41%) of insurance claims in North America in the first half of the year were related to ransomware attacks, according to new industry data.
The figures from cyber-insurance provider Coalition, which claims to have over 25,000 SMB clients in the US and Canada, provide a handy insight into the biggest threats to organizations today.
Aside from ransomware, fund transfer losses (27%) and business email compromise (BEC) incidents (19%) rounded out the top three attack types by number of claims in the period.
These two are essentially the same kind of scam, although BEC is committed solely via email whereas fund transfer losses might involve other channels such as phone calls. Together the top three accounted for 87% of all claims in the first six months of 2020.
Coalition’s head of business operations, Jen McPhillips, explained that the number one root cause of ransomware incidents during the period was exploitation of remote access. This indicates that the shift to remote working has provided new opportunities for cyber-criminals to monetize corporate attacks.
This chimes with data released by ESET in June, which pointed to a sharp spike in RDP attacks over the first few months of 2020: from just under 30,000 in December to over 100,000 during May.
As for BEC and fund transfer scams, they accounted for almost half of all cybercrime losses recorded by the FBI last year: coming in at a staggering $1.8bn. This is up from around $1.3bn out of a total of $2.7bn in 2018.
“Email intrusion, invoice manipulation and domain spoofing were the most common attack techniques for funds transfer fraud incidents,” McPhillips continued. “Organizations that use Microsoft Outlook for email were more than three-times as likely to experience a business email compromise compared to organizations that use Google Gmail.”
State-sponsored hackers have been in action again, trying to probe the Trump and Biden campaigns for information ahead of the US Presidential election in November, according to Microsoft.
The tech giant’s corporate vice-president for customer security and trust, Tom Burt, revealed that it had detected activity from prolific Iranian, Russian and Chinese groups.
Worryingly, he said that only “the majority” of attacks were “detected and stopped by security tools built into our products.”
Of most concern will be the return of the notorious APT28 (aka fancy Bear, Strontium) which previously hacked and released damaging emails from Democratic Party officials ahead of the 2016 election.
The group has targeted not only Republican and Democrat consultants but think tanks, national and state party organizations in the US, and European and UK political parties. In total, over 200 organizations have apparently been attacked.
Burt said APT28 is augmenting its typical spear-phishing attacks with new tactics.
“In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations,” he added.
“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”
Not to be outdone, China’s APT31 (aka Zirconium) has also been in action targeting the Biden and Trump campaigns, as well as noted figures in international affairs and academia. Microsoft said it has seen thousands of attacks between March and September, resulting in nearly 150 compromises. The activity was also spotted by Google back in June.
“Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account,” explained Burt.
“Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
Finally, Iran’s APT35 (aka Charming Kitten, Phosphorous) has been unsuccessfully attempting to access the email accounts of Trump campaign staff, said Burt.
The news comes as a new book by noted journalist Bob Woodward has made some shocking new allegations about Trump’s handling of the COVID-19 crisis and attempts by political appointees to influence intelligence reports.
It claims the President knew about and deliberately played down the seriousness of the virus, and that staffers tried to manipulate intelligence reports to play down the intelligence threat from Russia and homegrown white supremacists and hype the threat from China.
The People's Republic of China says the Twitter account of an ambassador who 'liked' a tweet containing pornographic content was hacked.
The account in question belongs to Liu Xiaoming, the PRC's ambassador to the United Kingdom. While Twitter is banned in the PRC, Chinese diplomats and their staff who live overseas are permitted to use the social media platform.
On Wednesday, the account appeared to give a digital thumbs up to a tweet in which a sexual act was depicted in a 10-second video.
Other posts 'liked' by the ambassador's account included comments that were critical of the PRC's Communist party.
The Chinese embassy in London has said that action will be taken unless Twitter instigates an investigation into what the PRC is calling "abominable."
'Likes' appearing to have been digitally distributed by the ambassador remained active on Twitter for around an hour before being reneged. Other Twitter users, surprised by the content's seemingly meeting with the ambassador's approval, commented on their appearance.
Typically, Liu shares news stories distributed by the Chinese state media that depict the PRC in a positive light. During an interview with the BBC in July, Liu denied human rights atrocities were being committed in Xinjiang despite being confronted with drone footage of the acts being committed.
Several hours after the alleged cyber-incident, a spokesperson for the London embassy issued a statement condemning the hack and attributing it to anti-Chinese cyber-criminals.
“Recently some anti-China elements viciously attacked Ambassador Liu Xiaoming’s Twitter account and employed despicable methods to deceive the public," read the statement.
"The Chinese embassy strongly condemns such abominable behavior."
The embassy said that it had reported the alleged hack to Twitter and urged the company to "make thorough investigations and handle this matter seriously."
The statement continued: "The embassy reserves the right to take further actions and hope that the public will not believe or spread such rumor.”
Alleged hacking victim Liu republished the embassy’s tweet to his more than 85,000 followers, adding the phrase: “A good anvil does not fear the hammer.”
A hacker or hacking organization is yet to step forward and claim responsibility for the alleged hack.
A cluster of vulnerabilities known as Ripple20 pose a major threat to IT environments, according to new research by a Seattle enterprise cyber-analytics company.
The Ripple20 threat is a series of 19 vulnerabilities found in a low-level TCP/IP software library developed by Treck Inc. called the Treck networking stack. The library is used by device manufacturers across a host of different industries, including utilities, academia, government, and healthcare.
"The ExtraHop threat research team studied customer data and discovered vulnerable software in one out of every three IT environments," wrote researchers.
"With industry average dwell times hovering around 56 days, these devices are a ticking time bomb if left alone."
The researchers predicted that this exploit will be widely used by attackers as an easy backdoor into networks the world over.
"The devices that utilize the Treck stack are far-reaching with the potential for vast exploitation," said Jeff Costlow, CISO at ExtraHop.
"A threat actor could conceivably use this vulnerability to hide malicious code in the embedded devices for an extended period of time, and traditional endpoint or perimeter security solutions like EDR or NGFW will not have visibility into this set of exploits."
Researchers recommended that device manufacturers and security vendors take immediate action and deploy mitigation tactics against the threat.
Specific actions advised include monitoring for scanning activity, isolating vulnerable devices, patching, and removing devices from services if a patch is unavailable.
"Vendors utilizing the Treck Software were given early access to the threat details so they could start producing patches immediately," wrote researchers.
"Unfortunately, a large number of devices have discontinued support, which has made it difficult to account for all vulnerable device makes and models."
Concerned organizations should stay vigilant for unusual activity such as lateral movement and privilege escalation that can indicate a Ripple20 exploit is occurring.
The threat group MAZE claims to have carried out a ransomware attack on the twelfth-largest school system in the United States.
According to their website mazenews.top, the cyber-criminal gang has successfully targeted Fairfax County Public Schools in Virginia with crypto-ransomware.
As proof of the attack, the threat actors have uploaded a zip file of data they claim was exfiltrated from the school system. At time of publication, Maze had published just 2% of the data they claim to have swiped from Fairfax County Public Schools.
Commenting on the alleged attack, Emsisoft's Brett Callow told Infosecurity Magazine: "FCPS is the 206th public sector entity in the US to be impacted by ransomware so far in 2020 and the 53rd school district."
Callow said that operations at up to 11,190 individual schools and colleges have potentially been affected by ransomware attacks since January.
The costs associated with such incidents are high as victims pay for forensics specialists to determine how the attack happened, fund the implementation of new cybersecurity measures, and in some cases pay the ransom demanded by the attackers.
"In 2019, 966 governments, healthcare providers and educational establishments were impacted at a cost of $7.5bn," said Callow.
A recent report by Emsisoft predicted that the cost of ransomware attacks will increase as the practice of exfiltrating data from victims to use as leverage becomes more common.
"We anticipate that exfiltration+encryption attacks will become increasingly standard practice and, consequently, both the risks and the costs associated with ransomware incidents will continue to increase," wrote researchers.
"Additionally, as the big game hunters are successfully hunting ever bigger game, the overall economic impact of incidents will increase from its current level of $170bn."
If true, the ransomware attack on Fairfax County Public Schools is the second tech-based disaster to befall the school system in 2020. FCPS hit the headlines in April after repeated attempts to successfully roll out remote learning during the COVID-19-related school closures ended in failure.
Back in 2010, a nine-year-old boy managed to hack into the Blackboard Learning System used by FCPS to change teachers' and staff members' passwords, change or delete course content, and change course enrollment.
APT groups are increasingly executing targeted attacks against Linux-based devices as well as developing more Linux-focused tools, according to an investigation by Kaspersky.
This is as a result of a growing number of organizations’ selecting Linux ahead of Windows to run their strategically important servers and systems, and the perception that the Linux operating system is safer and less likely to be targeted by malware as it is less popular.
However, threat-actors have been observed to adapt their tactics to take advantage of this trend, and Kaspersky noted that “over a dozen APT actors have been observed to use Linux malware or some Linux-based modules” during the past eight years.
These include notorious groups such as Turla, Lazarus, Barium, Sofacy, the Lamberts and Equation. Kaspersky highlighted the example of Russian speaking APT group Turla using Linux backdoors as part of its changing toolset in recent years.
The cybersecurity company added that while targeted Linux-based systems are still uncommon, there is still malware designed to target them, including webshells, backdoors, rootkits and even custom-made exploits.
This means organizations should not be complacent about the threat posed, especially as the consequences of a successful compromise of a server running Linux are often severe. This can include attackers gaining access to the endpoints running Windows or macOS in addition to the infected device.
Yury Namestnikov, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Russia commented: “The trend of enhancing APT toolsets was identified by our experts many times in the past, and Linux-focused tools are no exception. Aiming to secure their systems, IT and security departments are using Linux more often than before. Threat actors are responding to this with the creation of sophisticated tools that are able to penetrate such systems. We advise cybersecurity experts to take this trend into account and implement additional measures to protect their servers and workstations.”
Commenting on the findings, Boris Cipot, senior security engineer at Synopsys said: "It is not a big shock that Linux-based systems also have vulnerabilities and are subject to attacks. There is a common misconception which suggests that Linux-based systems are unbreachable, or that a Mac cannot be affected by malware. Unfortunately, this is not accurate.”
A new type of malware that targets Voice over IP (VoIP) softswitches, potentially for cyber-espionage purposes, has been uncovered by ESET researchers.
The malware, named CDRThief, is designed to attack a specific VoIP platform used by two China-made softswitches called Linknat VOS2009 and VOS3000, which are software-based solutions that run on standard Linux servers. ESET believes the main purpose of this malware is to exfiltrate various private data from a compromised softswitch. This includes call data records, which contain sensitive metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call and call duration.
The cybersecurity firm added that it caught their attention as entirely new Linux malware is rare to see.
CDRThief attempts to steal metadata by querying internal MySQL databases used by the softswitch, with its mode of operation demonstrating a “solid understanding of the internal architecture of the targeted platform.” ESET found that any suspicious-looking strings in the malware were encrypted by the authors in order to hide malicious functionality from basic static analysis. Additionally, even though the password from the configuration file is encrypted, the CDRThief malware is still able to read and decrypt it.
ESET also revealed the malware can be deployed to any location on the disk under any file, and once it starts operating, attempts to launch a legitimate file present on the Linknat platform. ESET researcher Anton Cherepanov, who discovered the Linux malware, said that “this suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software.”
He added: “It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyber-espionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform international revenue share fraud.”
ThreatConnect has announced the acquisition of Nehemiah Security, adding cyber-risk quantification to its existing threat intelligence platform (TIP) and security orchestration, automation and response (SOAR) capabilities.
The deal aims to create a cybersecurity platform aligning the entire security lifecycle to the goal of reducing risk and the ThreatConnect risk quantifier will enable the identification of the risks that matter most to organizations by quantifying them based on potential financial or operational impact.
ThreatConnect said with this acquisition, it is able to further deliver on its mission of revolutionizing the way organizations protect themselves by turning intelligence into action with a risk-led approach to cybersecurity making prioritization easy for security teams, enabling them to filter out noise and focus on what matters most.
Adam Vincent, chief executive officer at ThreatConnect, said: “We began our journey focused on making threat intelligence actionable with our TIP solution, providing a platform to collect, enrich and prioritize intelligence. We evolved our capabilities to deliver an award-winning SOAR platform to market, helping orchestrate and automate security actions with an intelligence-led approach, but we never lost sight of the belief we articulated in 2015 that risk mitigation should drive all action in security.
“We’ve watched with interest as the cyber-risk quantification movement has taken off, keeping an eye on evolving approaches and listening to the experiences of our clients. The decision to acquire Nehemiah was an easy one as they are ahead of the market in terms of their ability to automate cyber-risk quantification.”
In an email to Infosecurity, former Nehemiah Security CEO Paul Farrell said cyber-risk quantification was “an obvious missing puzzle piece in security” and the mentality of the market has shifted dramatically over the past two years.
“It is the most critical piece of the puzzle as understanding the risks that represent the most harm finally allows security to prioritize all activities around the mission of reducing those risks,” he said. “We have been focused on automating the job of cyber-risk quantification, of providing timely results and near instant time to value. We have been focused on integrating data already existing in the security technology stack, of delivering a solution that security people can actually use as a decision support capability.”
He called ThreatConnect “an ideal partner” as the company has “the means to take our vision forward, to provide sales, marketing and engineering resources we could not.”
“When marrying risk into the equation, ThreatConnect not only helps fulfil our vision – where risk drives all decision making in security – but they become one of the most powerful players in security as they can help marry risk, threat and response,” he said. “It really was a match made in heaven – and ThreatConnect will act as a steward of our vision and for the future of security as a whole.”
Small and medium-sized healthcare suppliers and providers are set to get a small cybersecurity boost after the government announced a £500,000 fund to support certification and training.
Announced to coincide with London Tech Week, the half-a-million pound support package will go to primary care providers (excluding GP practices), medical suppliers and other eligible businesses.
It must be spent on consultancy and certification costs needed to gain accreditation for the government’s Cyber Essentials certification, which guarantees a baseline of best practice security.
This will include training to ensure all mobile devices, laptops and PCs are kept up-to-date with the latest patches, firewalls are configured properly to secure internet connections and user access controls are tightened to prevent unauthorized access to systems.
Although it has been running since 2014, only 50,400 Cyber Essential certificates have so far been issued, the Department for Digital, Culture, Media & Sport admitted.
Yet healthcare organizations have become an increasingly popular target for attackers, especially during the COVID-19 crisis. The National Cyber Security Centre (NCSC) was forced back in May to issue a joint alert with the US authorities warning of large-scale password spraying campaigns against healthcare and medical research organizations.
“Protecting healthcare has been our top priority during the COVID-19 pandemic and we have been working hard to ensure organizations can keep themselves secure. While we will continue to support them, signing up to initiatives such as Cyber Essentials is an excellent way for organizations to help themselves,” argued NCSC director of operations, Paul Chichester.
“Those who have not already taken up this offer should do so — it will help ensure they have fundamental security protections in place, even in the most challenging of times.”
Yet another cryptocurrency exchange has been hit by a major cyber-attack, this time leading to the loss of over $5m from customers’ hot wallets.
Slovakian firm ETERBASE, which describes itself as “Europe’s premier digital asset exchange,” revealed yesterday that around $5.4m was stolen.
“Law enforcement authorities have been informed and we will assist as much as we can in the ongoing investigations,” it added. “We want to inform our users that we have enough capital to meet all our obligations.”
The firm moved quickly to contact the exchanges that it believes were used to receive the stolen funds. It claimed on Twitter that a large part of the digital currency ended up at Binance, Huobi and HitBTC.
Six hot wallets were affected, managing digital currencies: Bitcoin, Ether, ALGO, Ripple, Tezos and TRON.
Digital thefts at cryptocurrency exchanges are the 21st century equivalent of a bank heist, although with far fewer chances of the culprits ever getting caught.
They occur with worrying regularity: in February this year Italian exchange Altsbit said it had lost almost all the funds entrusted to it in a cyber-attack.
Some of the biggest of recent years have included a $32m attack on Japanese player Bitpoint last year; a $52m heist at South Korea’s UpBit a few months later; a $60m raid on Japanese exchange Zaif in September 2018 and a $31m attack on Seoul-based Bithumb a few months previously.
Many of these raids may have been coordinated by North Korean hackers, who have been singled out for attention by both the UN and security researchers at FireEye.
In fact, last year the UN claimed that Pyongyang had amassed a fortune of $2bn after its increasingly sophisticated hacking units attacked banks and cryptocurrency exchanges.
Security researchers have discovered a new vulnerability in Bluetooth which could allow attackers to perform man in the middle (MITM) attacks and access authenticated services.
The so-called “BLURtooth” vulnerability was independently discovered by teams at the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.
It exists in the Cross-Transport Key Derivation (CTKD), which sets up authentication keys for dual-mode devices (i.e. smartphones) that support both Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) transport methods.
Several attack scenarios were described using BLURtooth (CVE-2020-15802). It is possible for an attacker to exploit the bug to overwrite and lower the strength of the LTK or Link Key (LK) encryption keys used to pair devices.
“Vulnerable devices must permit a pairing or bonding to proceed transparently with no authentication, or a weak key strength, on at least one of the BR/EDR or LE transports in order to be susceptible to attack,” explained Carnegie Mellon University.
“For example, it may be possible to pair with certain devices using JustWorks pairing over BR/EDR or LE and overwriting an existing LTK or LK on the other transport. When this results in the reduction of encryption key strength or the overwrite of an authenticated key with an unauthenticated key, an attacker could gain additional access to profiles or services that are not otherwise restricted.”
Devices that had previously been paired but are vulnerable to the exploit may also be exposed to MITM by attackers within range.
“If a device spoofing another device’s identity becomes paired or bonded on a transport and CTKD is used to derive a key which then overwrites a pre-existing key of greater strength or that was created using authentication, then access to authenticated services may occur,” explained the Bluetooth Special Interest Group (SIG).
There doesn’t appear to be a patch available for BLURtooth as yet, although the SIG said it is “encouraging” its member companies to roll one out when ready.
In the meantime, it recommended that “potentially vulnerable implementations introduce the restrictions on CTKD mandated in Bluetooth Core Specification versions 5.1 and later.”
Small-business owners are worried that their employees' use of social media is a potential security risk, according to new research by the Cyber Readiness Institute.
A survey of 400 SMB owners and 1,059 US workers found that 56% of owners believe that their employees’ social media use poses a cybersecurity threat to their business.
Despite their fears, 82% of employers said that they allow employees to use personal devices to access work email or other data and 67% of business owners allow their employees to use social media applications on work devices.
While 56% of employees said that they have social media applications on devices they use for work, only 30% had been issued with guidelines on the use of social media applications on those devices.
Almost a quarter—22%—of workers admitted to ignoring or bypassing the cybersecurity guidelines issued by their company on a daily or weekly basis.
“It is clear that small-business owners are fully aware of the cybersecurity risks associated with mixing personal and work activities on the same device,” said Kiersten Todt, managing director of the Cyber Readiness Institute.
“SMBs now need to issue policies that address these risks. More than 4-in-5 owners allow employees to use personal devices for work and only about half have policies regarding the apps that can or cannot be on devices used. It is a recipe for cyber insecurity."
Installing social media apps on work devices was common among employees, with 42% of business owners saying that more than 75% of their employees have social media applications on devices they use for work.
Facebook was the most popular app used by workers on their work device, with 50% of those surveyed saying that they used it.
More than half of employees—56%—said that their company has not issued new guidelines on the use of social media apps on work devices since the COVID-19 pandemic had triggered the introduction of remote working.
Adding new policies regarding social media apps or modifying existing policies for employees having to work at home to slow the spread of the novel coronavirus was being considered by 36% of employers.
A federal judge has dismissed a lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach.
The potential class-action suit was filed in June last year over a data-sharing partnership between Google and the University of Chicago Medicine.
In 2017, Google received the anonymized data of University of Chicago Medicine patients for research purposes. The data was sent by University of Chicago Medicine under an initiative to improve predictive analysis of hospitalizations and subsequently raise the level of patient care.
Under the partnership, the tech giant used machine learning techniques to analyze the patient data in the hope of detecting when a patient’s health is deteriorating. The idea was to find out if and how a timely intervention might prevent the need for hospitalization.
Data sent by the University of Chicago Medicine to Google belonged to hundreds of thousands of people who were patients of the healthcare provider between 2009 and 2016. Although de-identified, the data contained time stamps of dates of service and notes made by physicians.
Edelson PC filed the lawsuit on behalf of lead plaintiff Matt Dinerstein, a patient of UC Medical Center who stayed at the hospital twice in 2015.
The suit alleged that Dinerstein’s confidential protected health information had been shared with Google without first being appropriately de-identified. The suit claimed that the alleged data breach had come to light after the publication of a 2018 research study that confirmed notes and time stamps had not been removed from the data before it was sent to Google.
In the suit, Dinerstein sought a royalty for the use of his protected health information by Google. The plaintiff claimed his medical records were of value to himself and had been stolen.
Federal judge Rebecca Pallmeyer of the United States District Court Northern District of Illinois Eastern Division dismissed the suit on September 4. Pallmeyer ruled that royalties are only appropriate when a property right has been interfered with, and Dinerstein had failed to establish that he had property rights to his own personal health information.
The Bank of England is to make securing cashless payment technology and preventing cybercrime a top priority.
The decision by the 326-year-old institution to focus on cybersecurity and digital payments was revealed yesterday by an external member of the Bank of England's financial policy committee. The committee was created in 2010 with the remit of monitoring the economy of the United Kingdom.
According to Law360.com, committee member Elisabeth Stheeman said that the impact of the COVID-19 pandemic on the financial system was key in driving the decision to focus on cyber-issues. According to Stheeman, what had been a gentle stroll toward digital dominance in everyday payments had increased to a leggy gallop.
"The reality is that online fraud and cyber-hacking of digital accounts have outstripped traditional theft of banknotes and gold," Stheeman said. "Payments have undergone rapid innovation in recent years, and the COVID-19 shock has accelerated these trends."
Stheeman said the committee believes these two areas will be critical in creating the kind of operational resilience that will enable the system to contain and withstand future unforeseen financial crises.
To achieve such resilience, Stheeman said the committee will call for more frequent stress-testing to gauge how well banks can recover from cyber-attacks. The committee also plans to create new standards for how quickly and effectively financial institutions should be expected to contain cyber-attacks.
Stheeman anticipates that the responsibility for ensuring the security of digital payments will lie with technology companies in the future, rather than with banks.
Cyber-criminals have sought to exploit the changes wrought by the global health pandemic, creating scams promising cures or vaccinations and targeting the newly opened up attack surface created by the increase in remote working.
Across the pond, Americans have lost more than $77 million in fraud related to COVID-19 since the outbreak began, according to the US Federal Trade Commission. John Breyault, vice president of public policy, telecommunications, and fraud at the National Consumers League, thinks the real figure is much higher.
“I think the FTC’s numbers are almost certainly just the tip of the iceberg when it comes to fraud losses,” Breyault said. “We know fraud is historically an under-reported crime.”
Malicious actors have substantially evolved the use of fake alert scams in recent years, in particular, the increasing targeting of mobile users, according to a new report by Sophos.
The investigation, authored by Sean Gallagher, senior threat researcher at Sophos, found that “a vast majority” of the fake alerts in malvertising networks targeted mobile users. This is partly because mobile has become a greater source of internet traffic, but these devices also offer easier modes of attack compared to desktop. For instance, iOS Safari’s accessibility function allows pop-up ads to make phone calls to lure victims to a dodgy app on the corresponding app store without scammers needing to cold call or voice-phish victims.
Gallagher added that most of the iOS fake alerts discovered were linked to App Store listings for a group of apps that claimed to be virtual private networking and site blocker tools. These apps all included in-app purchases, requiring payments to be made following a trial period.
The study also observed that desktop tech support scam operations have evolved over the past decade, primarily shifting from call center cold calls to more automated targeting techniques. These include pull-based attacks based on Google search ads and search engine optimization, vishing campaigns prompting the target to call back and email or text phishing campaigns to lure targets to a fraudulent website.
In addition, it was highlighted how malicious alerts masquerading as pop-up/pop-under ads, such as PopCash.net and PopAds.net, are being routed through legitimate advertising networks. They are therefore able to slip through as blocking them would substantially disrupt these advertising networks’ business models.
“At least on the desktop, there are multiple ways to prevent having an encounter with a fake alert site to begin with,” commented Gallagher. “The problem on the mobile side, however, remains largely a user education issue. While Apple and Google have made it more difficult for scammers to leverage browser features to attack users’ privacy and install unwanted applications without intervention, pop-up defenses remain weak and app store abuses remain an issue. As protections increase on desktops against malvertising, more scammers will focus on the weaknesses of mobile devices.”
Businesses fear suffering a data breach and expect it to be caused by an insider or internal error.
A survey of 500 IT professionals by Exonar found that 94% of respondents have experienced a data breach, and 79% were worried their organization could be next.
In an email to Infosecurity, Niamh Muldoon, senior director of trust and security at OneLogin, said the fear associated with breaches stems from the security culture within the organization, along with the security reporting structure.
“Having security teams in close dialogue with executive leadership, supporting the leadership to make informed risk-based decisions and driving the business strategy, including the technologies used, reduces this fear significantly,” she said.
“Secondly, not understanding information security, its components and principles drives fear and anxiety of the unknown, so having security education training, and developing awareness and consciousness of threats, will enable and empower the entire organization to act with a ‘security first’ mindset.
“Finally, recognizing the importance of access control to protect systems and data is a foundational level control that organizations can apply to reduce the risk of a data breach. Hand in hand with this is partnering with trusted identity and access control platform providers who can provide enterprises with that security expertise and industry leadership.”
In terms of what is causing the breaches, 40% of respondents to the Exonar survey said accidental employee incidents were to blame, compared to 21% who said it is external attackers. Asked if this is a case of businesses not having a handle on what leaves their organizations (either intentionally or accidentally), Sammy Migues, principal scientist at Synopsys, said insiders already have access and can leave with data invisibly, which might turn up somewhere embarrassing later.
Migues added: “Insiders make bad decisions to temporarily put data in the cloud without knowing how to secure it. Insiders are pretty sure it is okay to just tell a few people about that new thing that no one should know about. Insiders know exactly how to hurt the organization if they want to. Between accidents and malicious intent, insiders are a major concern.”
Muldoon said: “Firstly, always remember your employees are your biggest information asset. Security is the biggest enabler supporting business moves forward, especially during times of uncertainty, and fostering and growing good working relationships with your organization’s security team will help to bring diversity and inclusion to business strategy and decisions, while creating and maintaining highly-performing teams.
“Secondly, as the saying goes, you are only as strong as your weakest link, so working with an organization to ensure access to systems and data is provisioned only on a need-to-know basis will go a long way. This is where working with a trusted identity and access control partner really benefits an organization as a single access view of access for internally housed systems and/or cloud-based systems.”
BlackBerry has announced the launch of dedicated EU data centers to comply with new and existing GDPR regulations.
Located in the Netherlands and France, the new data centers will add to BlackBerry’s existing infrastructure in the UK and will help the company to provide dedicated EU instances of its critical event management platform AtHoc.
Under a new EU regulation, all member states must establish a critical event public warning system to protect citizens by 2022. BlackBerry explained that, with its new EU-dedicated data centers, organizations will be able to safely and securely communicate with their workforce and other organizations through any device in the event of a natural disaster, terrorist attack or other major contingencies.
“Empowering our customers with the most secure communication platform for increasing resiliency and communicating swiftly is critical in a crisis,” said Adam Enterkin, senior vice-president EMEA at BlackBerry. “It is also vital that we are able to adhere to new and existing EU data residency requirements per the GDPR. With BlackBerry AtHoc’s new EU-based data centers we are able to scale our infrastructure to better support our customers’ needs over a secure and reliable network.”
Security researchers have discovered six critical vulnerabilities in third-party code which could expose countless operational technology (OT) environments to remote code execution attacks.
A team at Claroty found the bugs in Wibu-Systems’ CodeMeter software license management offering, widely used by many leading vendors of industrial control system (ICS) products.
They have been given a collective CVSS score by the ICS-CERT of 10.0, representing the highest level of criticality.
“Successful exploitation of these vulnerabilities could allow an attacker to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data and prevent normal operation of third-party software dependent on the CodeMeter,” the US Cybersecurity and Infrastructure Security Agency (CISA) noted.
Attackers could phish their targets, socially engineering them into visiting a malicious site under their control to inject a malicious license onto the victim machine. Or they could exploit one of the bugs to create and inject forged licenses onto a machine running CodeMeter, Claroty said.
The firm claimed the worst of the bugs allow attackers to compromise the CodeMeter communication protocol and internal API, allowing them to send commands to any machine running the code.
This could enable complete remote takeover, allowing attackers to install ransomware or other exploits and/or crash programmable logic controllers (PLCs) because of the malicious license.
Mitigating the threat is made more difficult by virtue of the fact that many OT managers may not know a vulnerable version of CodeMeter is running. Claroty recommended scanning for the product, blocking TCP port 22350 and contacting ICS vendors to check if they can manually upgrade the third-party component of CodeMeter.
A report from Claroty last month claimed that over 70% of ICS vulnerabilities disclosed in the first half of the year can be remotely exploited.
Security researchers are warning users of popular content management system (CMS) platforms that they could be exposed to a range of cyber-threats, after uncovering 89 zero-day vulnerabilities.
A team at Comparitech decided to investigate a recent surge in web defacement attacks which appears to have bucked the long-term trend of a decline in such activity.
Monthly attacks soared from around 300,000 in July 2019 to nearly 700,000 in May 2020. Comparitech privacy advocate Paul Bischoff claimed the rise may be due to hackers staving off boredom while in lockdown.
As part of its investigation, the team uncovered 89 zero-day vulnerabilities in platforms such as WordPress, Joomla, Drupal and Opencart — and their plugins.
It claimed that as many as 100,000 websites are currently running plugins vulnerable to exploitation of these bugs, and that the vast majority of which were on WordPress (78,430) and Joomla (16,360).
“Researchers analyzed the source code of five popular mass-hacking bots, each of which can take advantage of 40 to 80 exploits,” Bischoff continued. “Arbitrary file upload vulnerabilities are the most common, which allow attackers to upload shell scripts onto web servers. Those shell scripts can then be used to remotely execute code and deface the site.”
However, web defacement represents a relatively minor impact compared to the potential damage such attacks could cause.
“Many of the exploits could also be used to distribute malware, set up phishing pages, redirect users to other malicious pages, install card skimming malware, add the server to a botnet, install a cryptominer, encrypt site data with ransomware or launch a number of other attacks on the site and its visitors,” Bischoff warned.
Comparitech also found that a relatively small number of the exploits it analyzed appear in vulnerability databases: just 124 out of a total of 280. This makes it less likely that security teams and vendors will have documented and built-in protections against them.
Scanning for specific plugins, databases and other elements known to be vulnerable is relatively straightforward via specially crafted searches known as “dorks,” explained Bischoff. Alternatively, IP scanning bots or IoT search engines like Shodan.io, Censys and BinaryEdge can be used. Off-the-shelf hacking tools have also lowered the barrier to entry significantly over recent years, he concluded.