Security researcher Troy Hunt is teaming up with Mozilla to offer his popular Have I Been Pwned (HIBP) service to Firefox users.
Over the next few months Mozilla will be trialling a new Firefox Monitor tool designed to help users check if they’ve been breached or not by searching the vast HIBP database. It now contains over three billion unique email addresses, according to Hunt.
“This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream,” he explained.
In order to boost security and privacy, the two parties are working to ensure any breached data shared or accessed is done so anonymously, by using new “hash range query” API endpoints via Cloudflare’s k-Anonymity technique.
“Hash range queries add k-Anonymity to the data that Mozilla exchanges with HIBP. Data with k-Anonymity protects individuals who are the subjects of the data from re-identification while preserving the utility of the data,” explained Mozilla privacy engineer, Luke Crouch.
“When a user submits their email address to Firefox Monitor, it hashes the plaintext value and sends the first six characters to the HIBP API. The API responds with many suffixes and the list of breaches that include the full value. When Firefox Monitor receives this response, it loops thru the objects to find which (if any) prefix and breached account HashSuffix equals the user-submitted hash value.”
What’s more, HIBP doesn’t share all of its hashes, allowing Firefox users to maintain privacy and protecting breached users from exposure, said Crouch.
The service will be trialled with around 250,000 users located mainly in the US.
Hunt has also agreed a new deal with password management firm IPassword which will integrate the HIBP service into the Watchtower feature of the product’s web version, allowing users to see if their passwords have been exposed in a previous breach.
The risks around IDN Homographs are “significant and growing” according to research by Farsight Security.
Its research around IDN lookalike domain names (also called Homographs) over a 12-month period focused on 466 top global brands across 11 vertical sectors. From this, it found 8000 IDN Homographs representing or containing a top global brand name, and 91% offering some sort of webpage and “clear violations of the ICANN Guidelines for the Implementation of Internationalized Domain Names.”
The company explained that IDNs enable a multilingual internet by allowing users to register and use domain names in almost any written language. As IDN homographs are easy to register and often go undetected by traditional security solutions, these lookalike domains are increasingly being used to commit phishing and other malicious activities.
Dr. Paul Vixie, CEO, chairman and co-founder of Farsight Security told Infosecurity that it initially published a report about this at the start of the year “as we had a theory that this was happening.
“Everybody who is supposed to govern the internet here is supposed to follow rules that preclude this from happening, but they don’t have a way to enforce it,” he said. “So you’re not supposed to be able to use a non-English character in the middle of an English word as that is prohibited by the contracts that they all signed with each other, but no one enforces it. The more we looked the more we found.”
Vixie went on to say that it is critical that organizations identify and manage potential risks to their brands, including IDN homographs, as in most cases “IDN homographs are registered with the purpose to infringe on brands owned by other people/organizations.”
He added: “Our research shows that IDN homographs are often new IDN-based registrations of pre-existing brands; they're not used to ‘replace’ a given website: rather they are often used to create new websites which are, in some (usually malicious) cases, phishing sites of the brands they are lookalikes for.”
Scores of NGOs, rights groups and academics have filed complaints with the European Commission that member states have ignored EU Court of Justice (CJEU) rulings on mass surveillance.
UK groups Privacy International, Liberty and the Open Rights Group (ORG) joined the complainants, who want to end the practice of blanket and indiscriminate retention of communications data.
This was ruled unlawful by the CJEU in 2014 and 2016, yet member states continue to allow the practice and have been reluctant to share plans on how they propose to comply, according to the groups.
Although the standoff does not concern the content of communications, the groups argue that data on who we interact with, as well as how, when and where, is nevertheless highly sensitive.
It’s claimed that as many as 17 member states still allow non-targeted bulk data retention, despite the court’s rulings.
In 2016, the CJEU ruled that “national legislation such as that at issue in the main proceedings therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified, within a democratic society.”
Tomaso Falchetta, head of advocacy and policy at Privacy International, claimed that the joint action should not have been necessary.
“Governments have already been told clearly and unequivocally through two key rulings that they must stop blanket and indiscriminate retention of personal data,” he added. “In a world when more and more data can be generated, collected, shared, and exploited by governments and companies alike, strong privacy protections must be enforced.”
ORG executive director, Jim Killock, argued that the EU court was completely clear about blanket data collection.
“Governments do not get to pick and choose what courts tell them. When they do, they undermine the rule of law itself,” he added.
Complaints have been filed in 11 EU Member States: Belgium, the Czech Republic, France, Germany, Ireland, Italy, Poland, Portugal, Spain, Sweden and the United Kingdom.
The HMRC has amassed a database of 5.1 million UK taxpayers’ voice IDs without their consent, potentially contravening the GDPR, a leading rights group has claimed.
Big Brother Watch argued that when individuals call the tax credits and self-assessment helplines they are asked to create a voiceprint which will be used to identify them in future.
However, although the tax office claims that “they can choose to opt-out and continue to use HMRC’s services in the usual way if they prefer,” the reality is very different, according to the privacy group.
“Upon calling HMRC’s self-assessment helpline we were met with an automated system. After the account verification questions, the system demanded that we create a voice ID by repeating the phrase ‘my voice is my password’,” it explained in a blog post.
“Far from ‘encouraging’ customers’, HMRC offers no choice but to do as the automated system instructs and create a biometric voice ID for a government database.”
The only way to avoid creating the voice ID is apparently to say “no” three times — something most users wouldn’t think to do.
Big Brother Watch claimed the system may break the law because it doesn’t obtain explicit consent from users in the form of a positive opt-in, as required by the GDPR.
Under the European privacy law, now part of UK law in the form of the Data Protection Act 2018, individuals should have a 'right to erasure', meaning the HMRC has to delete their voice ID if requested.
However, the Big Brother Watch investigation concluded that HMRC doesn’t have an accessible process to do so. Although taxpayers can de-select the use of their voice ID as a security check, they can’t have the ID itself deleted from the government database.
“We sent HMRC a Freedom of Information request, asking how an individual could securely delete their voice ID and use the usual method to access the helpline. Disturbingly, HMRC refused to answer our question under FOIA Exemption s31 (1) (a) — prejudice to the prevention or detection of crime,” the group claimed.
“This suggests that taxpayers’ voiceprints are being used in ways we do not know about.”
The ICO is said to be investigating the case.
Similarities among malicious documents used in attacks on South Korea suggest there could be a link between attacks on cryptocurrency and banks in South Korea. AlienVault has discovered cyber-attacks on South Korea by the North Korea-linked Lazarus Group. The attack methods are similar in nature to recent attacks on banks and Bitcoin exchanges. By leveraging the Manuscrypt malware, Lazarus reportedly “communicates by impersonating South Korean forum software.”
The three samples analyzed by the AlienVault labs team appeared to be Hangul Word Processor (HPW) files, which is a South Korean document editor. The samples contained “malicious postscript code to download either a 32- or 64-bit version of the next stage.” According to Hybrid Analysis, the malicious document that mentions the G20 International Financial Architecture Working Group Meeting had – among other indicators – the ability to query CPU information and to register a top-level exception handler. Another document identified as malicious was a decoy resume.
Interestingly, the documents used in the recent hack of the South Korean cryptocurrency exchange also contained malicious HWP files and involved fake resumes. Bithumb is a major South Korean Bitcoin exchange that was hacked, with $30M in coins stolen.
“There were earlier reports of related malicious HWP documents from Lazarus targeting crypto-currency users in South Korea earlier this month. In that case, we noticed there are a number of crypto-currency phishing domains that are registered to the same phone number as a domain (itaddnet[.]com) used to deliver some of the malware,” AlienVault wrote.
Researchers suggested that criminals are not only delivering malware but also phishing for credentials, and if these attacks are connected to Lazarus, the group doesn’t show any signs of slowing down its activity. Lazarus is reportedly responsible for several attacks against banks, and the group has been collecting sizable payouts.
While it is tempting to want to connect all of the dots back to the Lazarus group, some evidence suggests otherwise. Other attacks reported earlier this month appeared to involve malicious HWP documents reportedly from Lazarus targeting cryptocurrency users in South Korea. However, domain registration is not typical activity for Lazarus.
“Normally they prefer to compromise legitimate websites. So this would be an unusual attack if it is indeed run by members of Lazarus,” researchers said.
A cyber-espionage group has been weaponizing presumably secure USB drives to target air-gapped critical systems. The Tick group, discovered by researchers at Palo Alto Networks Unit 42, reportedly targets organizations from Japan and South Korea with custom malware, including Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.
Though the type of USB drive compromised in the attack was supposed to be certified as secure by the South Korean ITSCC, the Tick group loaded malicious files onto the USBs. The number of drives compromised remains unknown.
“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet,” Unit 42 wrote. Without possession of a compromised USB drive or access to the malicious file, Unit 42 could not detail all sequences in the attack. Researchers said it is also unclear whether the devices were corrupted through the supply chain or post-manufacturing.
Based on what they have observed, researchers said that the infection process begins with a Trojanized version of legitimate software that starts monitoring storage devices when executed.
"This particular attack bears all the signs of a very specific targeted attack designed to infect particular institutes or machines – not too dissimilar to Stuxnet,” said Javvad Malik, security advocate at AlienVault.
“Employees that work in sensitive organizations that have air-gapped networks should be particularly vigilant against plugging in devices. In some cases, even approved USB drives should be tested in a separate environment prior to being loaded in secure areas.”
In part, the rapid pace of digital transformation enables these types of attacks as air gap is removed and modern ICS networks are connected not only to the larger enterprise but to third parties as well.
“Cyber-criminals across the globe are continually developing their strategies and coding, as well as behavior, to stay ahead of market defense strategies. To attack critical infrastructure, employees are often targeted with tactics to identify vulnerabilities such as weak password storage, unsecured remote access pathways, social engineering campaigns and installing malware on USBs,” said Scott Walker, senior solutions engineer, Bomgar.
A known malicious actor who goes by the username Yattaze has been selling a malware downloader, Kardon Loader, as a paid open beta product, which Netscout Arbor believes is a rebranding of the cyber-criminal’s ZeroCool botnet.
Advertised on underground forums since late April, the malware downloader has full bot capabilities and is offered at a starting price of $50 BTC for the standard version and $70 BTC for the botshop. According to a recent post from Netscout Arbor, “the actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.”
Customers on underground forums are invited to join the project and start their own network using the Kardon Loader, which claims to be extremely stable and capable of holding large amounts of clients.
The relatively small size of the malware (10kb), which is still in development, reportedly sets it apart from other malware downloaders currently available. It is also is advertised as being specifically programmed for crypter compatibility.
Malware downloaders and botshops are often used by malware authors and distributors to both create botnets and distribute additional payloads. Those payloads – run by third-party operators of malware distribution networks – can include credentials theft, ransomware and banking Trojans, however, Yattaze used a disclaimer in the Kardon ad stating that the software should not be used for malicious purposes, but that it is “for personal use and educational purposes only, you take full responsibility for any type of misuse of the software.”
This new botnet-capable malware loader doesn’t represent new advances in the way the cyber-criminal community functions, said Sean Newman, director of product development for Corero Network Security, who pointed out that botnets are regularly used to launch distributed denial-of-service attacks.
“We are way past the time when hackers operated solely in isolation and had to craft every component of their attacks themselves. Pretty much every element of cybercrime is now part of a broader ecosystem, with hackers specializing in certain areas and then selling those skills or capabilities on the dark web to others who can then use that for a broader cybercrime campaign.”
Privacy rights campaigners are celebrating a major victory after the Supreme Court ruled that the US government must seek a warrant to obtain mobile phone location data on individuals.
The 5-4 ruling grants Fourth Amendment protection to what it described as “deeply revealing” data which can be used to create a “detailed chronicle of a person’s physical presence compiled every day, every moment over years.”
“As the Court noted, not only does access to this kind of information allow the government to achieve ‘near perfect surveillance, as if it had attached an ankle monitor to the phone’s user,’ but, because phone companies collect it for every device, the ‘police need not even know in advance whether they want to follow a particular individual, or when’,” said EFF attorneys Andrew Crocker and Jennifer Lynch.
Crucially, the Supreme Court rejected the “Third Party Doctrine”: a legal principle the government had relied on for years to justify its warrantless collection of phone data.
It dates back to the 1970s and asserts that the fact data is collected by a third-party automatically renders it devoid of constitutional protection.
The court ruled that these location technologies are now so advanced they can be used to map in an extremely precise way users’ movements at all times via an “exhaustive chronicle” of data. As such, they represent “a world of difference” from the more limited information collection addressed in previous Supreme Court rulings, it said.
It also explained that this information “is not truly ‘shared’ as one normally understands the term” because device location is recorded automatically “without any affirmative act on the part of the user beyond powering up.”
There are some exceptions to the ruling, including when police are pursuing a fleeing suspect, or when individuals are threatened with immediate harm.
The ruling has emboldened the EFF, which claimed it and other groups would be launching new litigation against other invasive surveillance technologies.
Security researchers have concluded that a Chinese-made baby monitor sold on Amazon is riddled with vulnerabilities, confirming a mother’s suspicion that her device had been hacked to spy on her infant.
SEC Consult said the FREDI-branded device, which is designed to look like a puppy, is most likely the work of an OEM called Shenzhen Gwelltimes Technology Co., Ltd.
The device has a P2P cloud feature which allows supported smartphone and desktop apps to connect to it via the cloud, making it easy for users to interact with it without needing to be on the same network. There are also no firewall rules, port forwarding rules or DDNS setup, SEC Consult claimed.
“On the back of the device there is an ID Code and a password (ID: 11610289, password: 123). In the supported app (e.g. YYP2P) there is an ‘Add online device’ function that allows you to add the device,” the researchers explained.
“Unfortunately the device ID does not look very secure. Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by ‘trying’ different cloud IDs.”
SEC Consult claimed that researchers have already successfully proven how to hack a P2P cloud system in a demo last year “that starts with scanning for valid device IDs, brute forcing passwords and then exploiting missing firmware update integrity/authenticity checks to gain remote code execution and persistence on the device.”
Hackers could not only do this to spy on users but also to gain entry into their private home networks, it said. There are also question marks about the unknown cloud server operator, which in this set-up receives all the video feeds.
The research confirms the suspicions of a South Carolina mother who earlier this month was widely reported as claiming her baby monitor had been hacked to spy on her and her baby.
“In the South Carolina case the most likely scenario is that someone is scanning for valid device IDs with insecure/default passwords and then spies on the owners of the device, possibly based on the information released by Security Research Labs in November 2017,” concluded SEC Consult.
“It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future.”
Action Fraud is warning of a new phishing campaign using the infamous WannaCry ransomware attack of May 2017 as a lure.
The UK’s national cybercrime reporting center claimed on Friday that it had already received 300 reports over the previous two days about the scam emails.
“The WannaCry emails are designed to cause panic and trick you into believing that your computer is infected with WannaCry ransomware,” it said in an alert.
“In reality the emails are just a phishing exercise to try and extort money. The emails claim that all of your devices were hacked and your files will be deleted unless you pay a fine to the fraudsters in Bitcoin.”
It’s now over a year since the ransomware struck around the world, infecting more than 250,000 computers in 150 countries. In the UK it was widely publicized, having disrupted over a third of the NHS Trusts and 600 GP practices, causing the cancellation of an estimated 19,000 appointments and operations.
That’s why Action Fraud has been called upon several times already since May 2017 to warn UK netizens of scams using WannaCry as bait — although most happened in the weeks following the initial outbreak.
In mid-May last year, a BT-branded phishing email urged users to click through to confirm a security update ‘carried out’ by the telco to protect them following WannaCry.
Then a week later a new tech support scam emerged after reports of pop-ups appearing on users’ PCs.
“One victim fell for the scam after calling a ‘help’ number advertised on a pop-up window. The window which wouldn’t close said the victim had been affected by WannaCry Ransomware,” said Action Fraud.
“The victim granted the fraudsters remote access to their PC after being convinced there wasn’t sufficient anti-virus protection. The fraudsters then installed Windows Malicious Software Removal Tool, which is actually free and took £320 as payment.”
Researchers at Netlab 360 detected a surge in malicious activity scanning and infecting several IoT devices, attempting to make them part of Satori, a variant of the Mirai botnet that is used to take down websites and mine digital coins. Experts point to lack of oversight in IoT and the cursed default usernames and passwords as the reason why hackers are leveraging this critical vulnerability in D-Link DSL routers.
While Mirai was rampant two years ago, Satori was first discovered in late 2017 infecting more than 260,000 home routers within 12 hours, according to a 15 June post from Netlab 360. Researchers recently noted that the Satori author released a worm, targeting for D-Link DSL-2750B devices. In this latest uptick of malicious activity, this Satori variant has been taking advantage of recently discovered device exploits. It also carries distributed denial-of-service (DDoS) capabilities and has been reported to have launched several DDoS attacks, according to a report from Radware.
Ashley Stephenson, CEO of Corero Network Security, said, “At this point, Corero detects scans that are indicative of a 'bot-herding' phase, seeking devices to compromise as Sartori bots, potentially for multiple botnets owned by different botmasters.”
Consumers using vulnerable routers can take preemptive steps by following the manufacturer’s instructions to disable remote administration, which Corero Network Security said reduces exploit surface. Yet experts want the industry to do more.
Using the two analogies – a car manufacturer no longer issuing recalls and pharmacies continuing to distribute medicines deemed unsafe – Mukul Kumar, CISO and VP of cyber practice at Cavirin, pointed the finger of blame on those who deploy and manage these devices. “The potential for personal and corporate data breach calls for [them] to take additional responsibility, which includes updates."
"We need a more formal update and ‘recall’ mechanism in place," Kumar continued. "The end user in many cases doesn’t have the skill set or even the awareness to take action. Looking forward to the increasingly connected home – HVAC, security, lighting, etc. – the need for greater oversight is critical."
In addition to default usernames and passwords, most IoT devices are shipped to consumers and enterprises with out-of-date, unsecure software that is never updated by manufacturers, said Chris Morales, head of security analytics at Vectra. “IoT devices are also trivial to access, with no regulations or guiding principles mandating how secure they should be."
Nation-state attacks are a mounting concern for security professionals, who reportedly expect to see a rise in cyber-attacks amid the backdrop of increasing geopolitical tensions. According to a Tripwire survey conducted at Infosecurity Europe 2018, the vast majority of respondents anticipate more nation-state attacks over the next 12 months.
Tripwire surveyed 416 conference attendees to gauge their expectations for the future, and almost all of them (93%) believe more trouble is on the way, with 83% saying they believe nation-states will expand their targets beyond government entities. The same amount of respondents believe that critical-infrastructure attacks from nation-states will rise and that attackers will intentionally cause direct harm.
“Recent threats like Triton/Trisis and Industroyer/CrashOverride have made it clear that cyberattacks can have dangerous physical impacts on critical infrastructure,” said Tim Erlin, vice president of product management and strategy at Tripwire. “Securing critical infrastructure at the industrial control system layer, where physical meets digital, is absolutely crucial.”
One issue with defending against nation-state attacks is that the threat can be a malicious insider, as was the case earlier this year when ObserveIT wrote about Chinese-born Greg Chung in a 23 March post, "Spies Among Us: The Rise of State-Sponsored Insider Threats." Chung claimed he was trying to “help the motherland” when he collected secret information to help his home country of China develop its own space program.
“Insider nation-state attacks pose one of the biggest threats to organizations,” said Mike McKee, CEO, ObserveIT. “These insiders might be trusted third-party contractors, privileged users or business employees that, for either malicious or non-malicious reasons, decide to collude with an outside nation to exfiltrate data. It has been shown that these actors are motivated by varying reasons, including financial greed, anger or revenge, ideology, patriotism, personal or family challenges, or organizational conflicts.”
Given the increased risk from nation-states, it’s not surprising that Lithuania's defense minister, Raimundas Karoblis, announced that Lithuania – along with counterparts from Croatia, Estonia, the Netherlands and Romania – are forming an new EU defense pact.
In an effort to confront what Lithuania has reportedly described as “hostile cyber activities” from Russia, the country has enhanced its own cyber capabilities. Karoblis has actively lead the EU defense pact project, which is expected to have Luxembourg, Finland, France, Poland and Spain sign on as well.
Researchers have detected a new Afghanistan-based attack disguised as a recent article from a Middle Eastern news network about the next Shanghai Cooperation Organisation Summit. Attackers used a malicious document that contained an excerpt from a story and titled it “Afghanistan – ‘Shanghai Spirits’ Contributes to Afghan Peace.”
In order to read the full story, readers were asked to click “enable content” because the document was protected. Duping the victims into clicking on the malicious document was the first stage in a multi-staged attack involving various servers and artifacts. The attack aims to install a Metasploit backdoor using “an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection,” according to research reported by AlienVault.
An Afghan user uploaded the malicious file, within which the the macro malware, dubbed "GZipDe," was embedded so that it executed a Visual Basic script upon opening. The script, stored as a hexadecimal stream, then executed the next task from a hidden PowerShell console. Because the server is now offline, the researchers do not have access to the next step in the infection chain; however, they did find the original reverse-tcp payload publicly available (with an additional layer of encryption payload) on GitHub.
“The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it,” researchers wrote.
The research team has only seen one sample of the malware but said that it seemed very targeted. “Given the decoy document is in English and uploaded from Afghanistan, it may have been targeting someone in an embassy or similar,” Chris Doman, AlienVault security researcher, wrote in an email.
Researchers also noted that Metasploit is growing in popularity for targeted attacks and said that there have been ongoing discussions around what makes Metasploit a good choice for attackers. “Essentially it makes attribution more difficult and they will use the minimum required effort to achieve their objectives,” Doman wrote.
Installation of malicious software in legitimate products could compromise security, and damage trust in software updates altogether.
According to a report by the ACLU on “How Malicious Software Updates Endanger Everyone”, it warned that “government agents may see malicious software updates as a means for surveillance” and the US government may force users to install malware to bypass passcode lockouts, enable wiretapping, turn on cameras, or physically track someone.
“The likelihood that government actors may attempt to force software makers to push out software updates that include malware designed to obtain data from targeted devices grows as more companies secure their users’ data with encryption,” it said.
“As companies close other technological loopholes, there will be increased pressure on law enforcement to find alternate vulnerabilities to exploit.”
The ACLU said that law enforcement routinely seeks the assistance of software makers to obtain data in the course of criminal investigations, but users have the right to decline assistance requests, or may compel software developers to “install malware on a user’s machine as a software update that appears to be entirely ordinary.”
The report also acknowledged that while fixing vulnerabilities requires that the public trust the software update channel, so that fixes to security weaknesses are deployed as soon as they’re made available, but people will not regularly update software if they fear the government or bad actors will use the new code to exploit their systems.
While the ACLU acknowledged that it was “uncertain whether governments have already sought to obtain such orders or will do so in the future”, it issued four guiding points on what developers should do in the event of such a request:
- Understand the issue, and any legal obligations
- Implement Technical Defenses, such as encryption and defending against targeted attacks
- Plan Responses, and consult executives, software designers and engineers, and lawyers is a helpful and important step to take prior to receiving a technical assistance order
- Lawyer Up and seek legal counsel if you receive a technical assistance order.
Being top choice as an attack vector is likely not a contest any platform wants to win. Unfortunately for Microsoft, Office will not only continue to be the attackers’ vector of choice but will also be the platform for exploiting vulnerabilities, according to a new report from Menlo Security.
After 360 Total Security blogged about “the first APT (Advanced Persistent Threat) campaign that forms its attack with an Office document embedding a newly discovered Internet Explorer 0-day exploit,” Menlo Security researchers sought to understand why attackers were using malicious Office documents for endpoint exploitation.
Malicious Microsoft Office documents attached to emails as an attack delivery mechanism are not new, but the report, Microsoft Office: The New Platform for Exploiting Zero-Days, detailed the latest examples of the growing sophistication of methods being used and highlighted the need for a more foolproof approach to security.
Even while the paper was being drafted, a new zero-day exploit – CVE-2018-5002 – was disclosed, all while two Flash zero-day vulnerabilities continue to be exploited in the wild.
“There is likely to be an increase in attacks via malevolent email attachments using stealthily embedded, remotely hosted malicious components that leverage application and operating system vulnerabilities, both old and new,” the report stated.
Researchers did find new attack methods, however. One is the use of embedded, remotely hosted malicious components exploiting app and OS vulnerabilities in Word documents delivering zero-day exploits.
Microsoft Word is the leading cloud office-productivity platform, and it’s popularity is expected to grow. In turn it will, presumably, continue to be the attackers’ vector of choice and the platform most often used to exploit vulnerabilities.
The researchers found that almost all recent zero-day attacks have been delivered via Microsoft Word. “With CVE-2018-8174 and CVE-2018-5002, the attackers leveraged Word as a vector to exploit Adobe Flash Player and Internet Explorer. By using Word as the vector, the attackers were able to exploit a browser, even if it is not the default browser, and exploit Flash, even though Flash is blocked by most enterprises," according to the report.
"Microsoft is therefore undoubtedly going to become the platform that attackers leverage most to deliver their zero-day exploits,” the report conlcuded.
More than 3,000 mobile iOS and Android apps have presumably been affected by a new HospitalGown threat variant recently discovered by Appthority. The threat occurs when app developers fail to require authentication to Google Firebase databases, potentially leaving private data exposed.
Researchers first discovered what they call the HospitalGown vulnerability in 2017 after broadening their understanding of enterprise mobile threats by looking at the data leakage through back-end data stores that are unsecured. In a 31 May 2017 post, researchers wrote, “This vulnerability...can expose an enterprise to Big Data exfiltration, leakage of PII (personally identifiable information), and the potential for data being stolen and ransomed.”
As of the time Appthority reported the vulnerability, the apps affected by the Firebase variant had been downloaded 620 million times for Android devices. Researchers said 62% of enterprises were exposed to the loss of sensitive data through this vulnerability. The vulnerability is reportedly both critical and significant and has likely impacted productivity, health and fitness, communication, cryptocurrency, finance and business apps.
“The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities,” Seth Hardy, Appthority director of security research, said in a 19 June press release.
Because mobile developers are under pressure to release a product, “the rush to market can result in developers and line-of-business owners overlooking rather basic security practices that might prevent this sort of issue. It's not hard to find mobile development talent, but finding a mobile developer with security expertise is rare, and so developers need all the help they can get," said Samuel Bakken, senior product marketing manager, OneSpan.
Given that mobile application security is so critical to enterprise security, “this vulnerability underscores why sectors such as healthcare and finance are increasingly adopting multilayered security strategies and incorporating passive biometrics and behavioral analytics to help ensure that the previously stolen data cannot be used for fraudulent purposes,” said Ryan Wilk, VP of customer success, NuData Security.
The state of Oregon continues efforts to resolve an email issue, with the oregon.gov domain is still preventing communication from state employees.
On 19 June, Oregon Live reported that agency directors across the state of Oregon received a message alerting them to a phishing attack that generated over eight million spam emails from an oregon.gov email address.
“This happened over the weekend and was caught on Monday. Unfortunately, we did not catch it before external mail providers downgraded the Oregon.gov sender reputation score – a score that shows how mailbox providers view your IP address. As a result of this incident, mail from Oregon.gov has been blacklisted by certain providers,” the message said.
Email providers, including Outlook, MSN, Hotmail and Live, have blacklisted emails attempting to come in from Oregon’s state email domain. As a result, mail from any state employee sent to those email domains will not be received.
State employees were reportedly told by Amy Williams, a spokeswoman for the Department of Administrative Services (DAS), that they may have to use an alternate email address. Williams also suggested that members of the public attempting to contact state employees should include phone numbers in their emails.
While Gov. Kate Brown reportedly declined to comment on the status of the cybersecurity posture of the state of Oregon, DAS is working with the Department of Enterprise Technology Services and the Enterprise Technology Office to rectify the situation. The attack on state email addresses serves as a reminder that phishing campaigns are rampant and sophisticated.
“Emails from a well-known and trusted sender are likely to be acted on by a person of that organization. Without the use of specialized email defenses and multifactor authentication, it is not surprising that these types of attacks are growing quickly globally,” said Matthew Gardiner, cybersecurity expert at Mimecast.
“Attackers love to steal users’ email log-in credentials from organizations such as the state of Oregon as this access can be used to quickly pivot the attack to breach other organizations that regularly do business with the state. This technique forms the basis of many supply-chain style attacks.”
As Fortnite fans await its mobile debut on Android, YouTube videos have been detected claiming to contain downloads for the game.
After various tutorial videos were discovered, research by Malwarebytes into the videos found that tutorial apps were not in the Google Play store, but users found links in YouTube’s sponsored adverts which appear legitimate, and feature the Epic Games logo.
Nathan Collier, senior malware intelligence analyst at Malwarebytes, found that upon downloading and opening the app it plays the Fortnite intro song and requests updates to be downloaded, before requesting mobile verification from the user.
“There, it claims to be for the purpose of verifying 'You’r Not A BOT' (bad grammar and all) in order to proceed to Fortnite,” Collier said. “To ‘verify’ the user must complete a task, which involves downloading another ‘free’ app.”
This directs to Google Play, but Collier said no matter how many apps you download, the game never unlocks, because it never existed within the malicious app in the first place.
He said: “The more downloads that come from the website, the more money the malware developers can make. With the app being so simplistic, the amount of development effort is pretty low for the amount that could be potentially gained.”
James Hadley, CEO and founder of Immersive Labs, said: “Fortnite’s popularity, driven by gamers including the England football team, means there is an opportunity for cyber-criminals to take advantage of the demand for the game and the latest releases.
“In life, if something seems too good to be true, it usually is just that; and cyber is no different. Cyber-criminals rely on the draw of a new, exciting or trendy app outweighing the perceived negatives; in this case, getting an early release of Fortnite on Android for downloading another app.”
Javvad Malik, security advocate at AlienVault, said that ongoing user awareness is essential to ensure users are savvy to the risks that can affect them, and defenses to stop such malware making its way into app stores, or running on devices, needs to be continually improved.
Steve Giguere, lead EMEA engineer at Synopsys, added: “There's no shame in being caught out by schemes or scams like these, but we need to learn that where we exhibit human weakness, the cyber-criminal will be present looking to take advantage to turn our nature against us.
“As attacks like these become more common place, awareness will inevitably follow; but until then, ensure you are running a modern endpoint security program and remember that if you think it looks too good to be true, don't take the bait - it's called phishing for a reason.”
The firm carried out a survey of three sample groups – 1000 small business owners, 1000 C-suite execs of large organizations and 1100 consumers/employees to expose security risks currently threatening UK companies.
A key finding was that businesses recognize employee negligence as playing a major or moderate role in data security breaches, but that a significant percentage are failing to take action with robust information security training programs.
Only just over half (55%) of the large organizations surveyed had trained their workers on public Wi-Fi use, whilst almost a third had failed to provide training on spotting fraudulent emails. Smaller businesses faired a lot worse, with just 46% of them offering necessary key training; only 27% had provided public Wi-Fi training and a third offered fraudulent email training.
“It might feel like rough justice for employees to be held to account when training is not comprehensive, but it reflects how difficult this process is, even for businesses with extensive resources,” said Neil Percy, vice-president market development and integration EMEA, Shred-it.
“There may also be an assumption that some elements are common sense, but that potentially belies how easy it is to be duped by skilled phishers and hackers, or even to lose confidential info during the course of a busy day. Mindfulness is key and training helps.”
New research from Centrify has assessed managerial attitudes towards younger employees (18-24-year-olds) and their security, privacy and online behaviors at work.
Released at a press launch event in central London yesterday, Centrify’s survey revealed that, of the 500 senior decision makers polled, more than a third believe the younger generation are the ‘main culprits’ for security breaches, with 37% stating they are too relaxed about security measures, too trusting in new technology (35%) and share data too easily (30%).
However, further investigation by the firm showed that such concerns are not necessarily reflective of real actions of younger employees, and that managerial-level workers are actually failing to ‘lead by example’ when it comes to good security and privacy behaviors themselves.
For example, the biggest worry for decision makers (44%) was that next-gen workers would misuse technology; clicking on suspicious links or removing company information via a USB stick/personal email. In fact, of the 1000 18-24-year-olds surveyed, only one in 10 admitted to clicking on a suspicious link, with just 7% removing information from the company. Conversely, Centrify pointed out that twice as many managers had clicked on suspicious links compared to younger workers, and twice as many had removed information from the company.
Likewise, 38% of decision makers worried about younger workers using corporate devices for personal use, when in fact more of them admitted to playing games on work devices (18%) than next-gen employees (15%), and one in eight used them to gamble online compared to one in 20 younger employees.
Perhaps most poignantly, although 48% of managers felt concerned about how younger employees’ social media activity might affect the organization and compromise security, just 40% of 18-24-year-olds said their company provides clear guidance around social media usage.
What’s more, according to younger workers, only 40% of employers enforce a regular password change despite 56% of managers worried about password sharing, whilst 36% said they are able to access any/all files within their business network without restriction despite concerns around the taking of company information from the workplace.
“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as older workers, but we must remember they are the business leaders of tomorrow and we must help not hinder them,” said Barry Scott, CTO EMEA, Centrify.
“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies. If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself.”