A new study has found that more than half of organizations believe detecting insider threats is harder following migration to the cloud.
The 2020 Insider Threat Report published today found that a lack of visibility into anomalous activity, especially in the cloud, and manual SIEM workloads have increased the risk of insider threats for organizations and prevent many from detecting and stopping data exfiltration.
The annual report was produced with the support of Gurucul by Cybersecurity Insiders, the 400,000-member community of information security professionals, to explore how organizations are responding to evolving security threats.
Key findings are that 58% of organizations consider their monitoring, detecting, and response to insider threats somewhat effective or worse, and 53% believe that detecting insider attacks has become significantly to somewhat harder since migrating to the cloud.
Nearly half of the companies surveyed for the report admitted that they are unable to remediate insider threats until after data loss has occurred.
Although 68% of organizations indicated that they felt vulnerable to insider attacks, 17% admitted having no visibility whatsoever into user behavior within core applications.
The most popular method for monitoring user behavior within core applications was via server logs, which were used by 46% of companies surveyed for the report. In-app audit systems/features were used by 31%, and 33% said that they had conducted user-activity monitoring.
The majority of organizations—87%—found it moderately difficult to very difficult to determine the actual damage of an insider attack, though the most common estimate, given by half of the organizations surveyed, was that an insider attack would cost less than $100,000.
As for identifying the sources of threats, 63% of organizations think that privileged IT users pose the biggest insider security risk.
“Insider threats are not limited to employees. They extend to contractors, supply chain partners, service providers and account compromise attacks that can abuse access to an organization’s assets both on-premise and in the cloud,” said Craig Cooper, COO of Gurucul.
“Lack of visibility and legacy SIEM deployments put companies at risk. Insider threat programs that monitor the behavior of users and devices to detect when they deviate from their baselines using security analytics can provide unmatched detection, risk-based controls and automation.”
The excuses made by companies that have suffered a data breach are being parodied online by a new website, whose creator is unknown.
"Why the f*ck was I breached?" uses algorithms to generate a slew of entertaining excuses that attempt to explain how data came to be exposed.
Excuses that appear on the site include "Anonymous collective used that other vulnerability we were going to patch next Tuesday to make a mess," "Russians used an open window in the server room to transfer 7 petabytes of data," and "Teenagers used nefarious techniques to do something, but we aren't quite sure what it is."
Along with each excuse comes an assurance that no further breaches will occur because the company has taken some kind of action that even a cybersecurity novice can see will be totally ineffective at preventing a similar incident from occurring.
Preventative actions that appear on the site include "We have since worked with law enforcement," "We have since copy-pasted a security policy we found on Google," and "We have since watched the movie Hacker 8 times back to back."
The site opens with the statement: "Did you just lose 100m customer SSNs because your root password was 'password,' you set an S3 bucket to public, or you didn't patch a well-known vulnerability for 8 months? Is the media and government chewing you out because of it? Worry not! Our free excuse generator will help you develop an air-tight breach statement in no time!"
Users can then scroll down to view an auto-generated breach excuse. To make the next excuse appear, users must click a button that reads "Equifax already f*cking used that one."
While the site was clearly created for comic effect, by mocking the often vague information disclosed by companies following a data breach it flags the salient issue of how cybersecurity is approached and implemented.
The site aims particular criticism at Equifax, which exposed the personal information of 147 million people in July 2017. Although staggering in size, this breach is paltry when compared to the breaches that affected 3 billion Yahoo users in 2013 and 500 million Marriott customers between 2014 and 2018.
The Social Security information of thousands of drivers has been exposed following a data breach at the California Department of Motor Vehicles that went unnoticed for four years.
Information relating to 3,200 people issued with driver's licenses was inadvertently leaked to federal agencies, including the U.S. Department of Homeland Security.
A total of seven agencies were able to access the data, including district attorneys in San Diego and Santa Clara counties, the Small Business Administration, and the Internal Revenue Service.
According to the Los Angeles Times, some data exposed by the DMV was accessed as part of investigations into criminal activity or compliance with tax laws.
DMV spokesperson Anita Gore stated that no information had been accessed by or shared with private individuals as a result of the breach.
The DMV restricted access to the data shortly after discovering the breach on August 2, 2019.
“Protection of personal information is important to DMV, and we have taken additional steps to correct this error, protect this information and reaffirm our serious commitment to protect the privacy rights of all license holders,” Gore said.
“That’s why DMV immediately began correcting the access error following a legal compliance review, ensured that no additional confidential information was disclosed to these entities, and has implemented several additional layers of review.”
Customers of the DMV were informed of the breach by letter. In it, Albert C. Hwang, chief privacy officer at the DMV, wrote: “We sent this letter and the attached notice to you based on having, in the past, shared your Social Security information in error.”
California state law requires customers to be notified of any unauthorized acquisition of computerized data that compromises the confidentiality of personal information.
News of the breach come just months after a state audit in March found “significant deficiencies” in DMV operations, including technology and staffing problems and poor management practices.
The audit found that the department's computer system was relying on programming language dating to the 1950s and that some parts of the department’s operating structure hadn’t been updated since 1990.
The DMV has also been criticized for soul-crushingly long waiting times, with some Californians reporting queues that lasted nearly six hours.
Facebook has revealed yet another incident where third-party developers may have been allowed too much access to user data.
In this case, names, profile pictures and other information relating to members of Facebook groups may have been accessed improperly by as many as 100 developer ‘partners’ of the social network.
“We know at least 11 partners accessed group members’ information in the last 60 days,” said Facebook director of developer platforms and programs, Konstantinos Papamiltiadis.
“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”
The snafu relates to a Groups API that Facebook restricted as part of its efforts in April last year to clamp down on data sharing with third parties, in the wake of the Cambridge Analytica scandal.
“Before April 2018, group admins could authorize an app for a group, which gave the app developer access to information in the group,” said Papamiltiadis.
“As part of the changes to the Groups API after April 2018, if an admin authorized this access, that app would only get information, such as the group’s name, the number of users, and the content of posts. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.”
Unfortunately, the social network subsequently discovered that some apps/developers retained access to this additional information “for longer than intended.”
These have now been removed as part of Facebook’s efforts to improve transparency and accountability following its record $5bn settlement with the FTC.
In September this year it announced the suspension of tens of thousands of apps from hundreds of developers for potential abuse of policy, such as improperly sharing user data.
The internet is awash with politically themed malware, used in everything from ransomware to remote access trojans (RATs), according to new research from Cisco Talos.
The security firm’s study began with analysis of a regular-looking malicious spam campaign which used an executable named “trump.exe.”
Taking this as a jumping off point, the research team found a wide range of similarly themed threats that “was almost a microcosm of what we see in the threat landscape daily.”
These included Donald Trump-themed ransomware, and separate Trump and Vladimir Putin-themed locker malware. Interestingly, one of these threats offered no way for hackers to monetize their efforts.
Cisco also found numerous politically themed RAT campaigns, including Neshta, which used Kim Jong Un, and an NjRAT campaign that used an image of Putin — the same one used as an icon for the “Papa-Putin.exe” executable.
Some RATs were found using booby-trapped files purporting to contain political content as a lure, such as the Word document “12 things Trump should know about North Korea.doc,” which was used to spread the Konni RAT.
An Excel spreadsheet titled “Trump_administration_economic_indicators_on_China_investments.xls” contained malicious macros leading to infection by the well-known PoisonIvy RAT, often used in nation state attacks.
Other tools featuring political iconography included a Trump crypter, injectors referencing Barack Obama and Putin, and a Putin-themed malware loader.
Cisco also discovered a range of political software “ranging from the absurd to the disturbing,” including a “Dancing Hillary” game and a “Trump's Cyber Security Firewall” tool.
“As this investigation has exposed, adversaries will go to any lengths and use anything they deem advantageous, from pop culture to political references — everything is fair game,” it concluded. “This is applicable not only to the adversaries delivering malware, but also the miscreants writing tools for adversaries to leverage including crypters, injectors and loaders.”
Drones could become a major network security threat from 2020, forcing organization to guard the airspace around their buildings, security researchers have warned.
Small unmanned aerial vehicles (UAVs) will increasingly evolve from novelty items to “ubiquitous business tools” over the coming years, explained defense contractor Booz Allen Hamilton in a new 2020 Cyber Threat Trends Outlook report.
However, as they do, cyber-criminals may also look to take advantage by flying them close to target networks and/or landing them in concealed locations such as on roofs. In this way, a UAV could be fitted with a Wi-Fi Pineapple and used as a rogue access point to harvest credentials, perform man-in-the-middle attacks against employees and carry out network reconnaissance, the report warned.
IoT devices such as smart light bulbs, or even wireless mice could also be targeted.
“Drones equipped with specially fitted hardware and software may also be used to install malicious malware on systems or disrupt system’s operations, particularly devices that are vulnerable to exploitation of wireless protocols like Bluetooth and ZigBee,” the report claimed.
“The requirement for both the attacker and the drone to be in proximity to a target (e.g., Bluetooth has an estimated maximum range of 300 feet) will limit the frequency with which drone-based attacks will be used, but the threat nonetheless remains real.”
To mitigate the threat, Booz Allen Hamilton urged organizations to consider training physical security staff to spot drones, installing jamming signals and treating their airspace as an extension of the corporate attack surface.
“For small office/home office wireless networks, operators may consider mitigations commonly used to address war-driving attacks, such as turning off the wireless network when not in use, updating administrator passwords on routers regularly, and using security measures such as wireless traffic encryption and firewalls,” it added.
Elsewhere in its report, the IT consulting giant warned of a growing risk to satellite infrastructure, connected cars, the upcoming Tokyo Olympics and digital elections.
There is a sense of failure among security practitioners, believing that they cannot keep up with attacks, and this has created a sense of irrational fear.
Speaking at the Tenable Edge conference in London, Tenable CEO Amit Yoran said that this “sense learnedness” has led people to reassess their perception of risk. Rather than zero-days, which he said were often overhyped, he argued that two other things are actually more important to focus on: system hygiene and user challenges.
Acknowledging that user problems are harder to solve, Yoran focused on security hygiene, saying that “sophisticated adversaries take advantage of known vulnerabilities as 60% of breaches are caused by known vulnerabilities to which patches are available” but often not applied.
He said that in the last two years, the NSA “has not responded to a breach that involved a zero-day exploit” and this has led to irrational fears and news on what we are concerned about, when breaches are often “the result of bad hygiene and stuff we know about and can fix.”
Yoran said that knowing your level of risk is imperative, as boards and CEOs do not ask about sandboxing, exploiting files “and which form of AI or ML you’re using to detect logins,” but are asking simple questions such as “how vulnerable are we and what is our level of risk?”
He concluded: “Those are the questions business leaders are asking, and it is imperative for the future of vulnerability management as it is a system of record for the understanding of risk.”
Californian security-event management company Sumo Logic has acquired JASK Labs, Inc.
JASK makes security information and event management (SIEM) software and is best known for its flagship product, JASK Autonomous Security Operations Center (ASOC), which collects and analyzes data from any source, including endpoint data, network data, and applications in the cloud.
Sumo Logic, which had its own SIEM prior to the acquisition, has rebranded the JASK solution as Sumo Logic ASOC.
Since it was founded in Austin, Texas, in 2015, JASK has raised nearly $40M from investors like Battery Ventures, Dell Technologies Capital, TenEleven Ventures, and Kleiner Perkins.
“The team at JASK set out to fundamentally disrupt traditional security solutions that are no longer meeting the needs of modern security teams,” said Greg Martin, CEO of JASK.
“Over the past five years, we’ve worked with customers and experts on the front lines of this disruption to uncover what will truly have an impact on improving the performance of security analysts that have been mired with alert fatigue. We’re excited to bring together our collective security DNA and joint customers and partners to create a powerful security intelligence solution that provides a cloud-native best-in-class modern SOC and analytics solution.”
Ramin Sayar, president and CEO of Sumo Logic, said: “Security in the modern world is moving from a human-scale problem to a machine-scale problem.
“Customers are looking for a new approach to help them overcome the pain and complexity around an increasingly perimeter-less world. The JASK team are experts in helping customers navigate this new world. By aligning our efforts as a single team, we are able to democratize security intelligence for all.”
Commenting on how the acquisition will affect the SIEM market, Nir Polak, co-founder and CEO of Exabeam, said: "Based on how rarely we see JASK or Sumo Logic compete against us for business, I can’t envision their combined company making any significant headway in the next-gen SIEM market.
“When you multiply a fraction by another fraction, you get an even smaller fraction. I don’t think this merger will be the force multiplier either company is hoping for.”
Nunavut, Canada's largest and most northerly territory, is working hard to recover from a ransomware attack that struck over the weekend.
The sophisticated cyber-assault was launched on the sparsely populated territory's government network at approximately 4:00 am on Saturday morning, resulting in the swift encryption of multiple Word documents and PDF files.
Users trying to access the infected government network were confronted with a ransom note that read: "Your network has been penetrated. All files . . . have been encrypted with a strong algorithm . . . we exclusively have decryption software for your situation."
The threat actors behind the attack instructed users to download an encrypted browser and visit a specific URL within the next 21 days. Users were told that the sooner they pay, the lower the price they will be charged to recover their encrypted files.
In an attempt to contain the attack, the government shut down parts of its network, leaving many government employees unable to access their email or voicemail. All government services requiring access to electronic information were impacted by the attack, with the exception of Qulliq Energy Corporation.
"The nature of the government is we're a centralized organization, so it has impacted the file servers of different departments and it's impacted some of our communities as well," Nunavut's director of information, communications, and technology, Martin Joy, told CBC News.
The ransomware is believed to have been triggered when an employee working late on Friday night clicked a link in a malicious email or web advertisement. Joy said the ransomware appeared to be DoppelPaymer, which Nunavut's security systems hadn't been trained to detect.
In a statement released yesterday, the Nunavut government wrote that "there is no concern at this time with the loss of personal information or privacy breaches."
Contingency plans have been implemented to ensure uninterrupted services to the local community, and the government stated that it "expects the majority of files will be restored, using existing up-to-date back-ups."
Minister of Community and Government Services Lorne Kusugak said in a statement in the legislature Monday that it would be at least a week before services were restored.
Speculating on why threat actors might have targeted Nunavut, Emsisoft’s Brett Callow commented: "US entities are on very high alert, bolstering their IT, and so are less likely to be compromised. Because of this, big game hunters are increasingly looking for opportunities in other countries."
Community safety organization Neighbourhood Watch has established a cyber-safety initiative to help Brits protect themselves and their families from online crime.
Formed in response to the rising level of cybercrime, the new scheme aims to teach communities about the risks associated with going online while also gathering data on which regions of the UK are most vulnerable to cyber-threats.
According to a survey of 14,000 Neighbourhood Watch members carried out by the watch in conjunction with Avast, 20% have been victims of cybercrime, while 38% know someone else who has become a victim of cybercrime.
Researchers found a general lack of confidence in talking about cybercrime experiences within the community, and some gaps in understanding around the best methods of online protection.
In terms of financial impact, over a third (36%) lost money, and of them, 29% lost more than £1,000. The majority of these crimes were kept secret by the victims, with only 30% reporting the incident to the police.
"Neighbourhood Watch is about making sure that fewer people feel afraid, vulnerable or isolated in the place where they live, and in recent years that means helping members learn how to protect themselves, and their local community, against cybercrime has become a key priority," said John Hayward-Cripps, CEO of Neighbourhood Watch.
"This may surprise some people who think Neighbourhood Watch is solely focused on physical crime prevention. Our members recognize that the threat of cybercrime is very real, and they tell us that there is a definite need for simple advice and resources, so they feel better equipped to defend themselves against it and advise others."
Avast’s support will include a training and accreditation scheme for local Neighbourhood Watch representatives, local informative events, downloadable guides and resources, and ongoing sharing of information about relevant emerging threats.
"Neighbourhood Watch community leads, who often represent people and places that are most at risk of cyber threats, are increasingly asking for help following feedback from local members who have experienced scams or security incidents themselves or know someone who has. We are delighted to provide our support by working with them to deliver a cybersecurity accreditation programme with training courses to help members become more confident and knowledgeable in supporting their community cybersecurity requirements," said Peter Turner, senior vice president, Consumer Security, Avast.
Half of global organizations still don’t have cyber insurance, despite the majority believing cyber-attacks will increase next year, according to FireEye.
The security vendor polled 800 CISOs and senior executives across the globe to compile its new Cyber Trendscape Report.
More than half (56%) said they believe the risk of attacks will grow next year and 51% said they aren’t ready for an attack. Yet half claimed not to have any cyber insurance, rising to 60% in Germany.
Around one in 10 (8%) said they had no breach response plan in place, rising to 11% in the UK, 19% in Canada and 15% in Japan. Plus, 29% of those which did have response plans in place have not tested or updated them in the past 12 or more months.
This is one of the key requirements of the GDPR. Yet compliance fines appear not to be a concern to most organizations, despite the advent of the sweeping new EU legislation last year. Only a quarter (24%) of respondents said these were a concern, rising slightly to 39% in the UK, but dropping to 22% in Germany and 19% in France.
In fact, organizations are in many ways focused too much on compliance, according to Eric Ouellet, global security strategist at FireEye.
“One attitude that emerged which people should reconsider is letting compliance dictate security standards, when actually they should be aiming for a higher level of protection,” he said.
“For example, the report found that 29% of organizations had informal training programs on an ‘as needed’ basis that are focused on meeting core compliance requirements. It’s likely that the organizations which are taking a more comprehensive approach in this area and others are better equipped to deal with security threats.”
Another interesting finding from the report is the continued challenge of security awareness training. Around a fifth (21%) of German respondents lack any cybersecurity training program, much higher than the global average (11%).
The Mozilla Foundation and a group of rights groups and non-profits have penned an open letter to Facebook and Google urging them to halt political advertising until after the upcoming UK General Election.
The letter argued that there won’t be time in the current parliament for the urgent legislation on political ads that the UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have called for.
“This legislative blackspot is particularly concerning in light of Facebook’s recent policies to allow politicians to openly publish disinformation through ads. Equally concerning is the lack of transparency as to what data is being used to target ads, and how such ads are being targeted,” the letter continued.
“We are aware that these policies are subject to debate both inside and outside the company. While that debate continues, people in the UK are left in uncertainty about whether they can trust what they see on the platform.”
The letter’s authors pointed to precedent in this space, with Google blocking political ads two weeks before polling in the Irish referendum and during the entirety of the recent Israeli and Canadian election periods.
“Again, this call is not about a permanent ban on political and issue-based ads; indeed, political ads are not inherently problematic. But the online advertising model, which depends on vast collection of data and opaque ad targeting systems is not fit for purpose and thus fundamentally undermines trust in political advertising,” it concluded.
“It is a request to take temporary measures to ensure that your platforms are not complicit in exploiting electoral laws MPs themselves have described as ‘unfit for purpose’.”
Mark Zuckerberg has come in for heavy criticism of late for effectively defending the right of politicians to lie in their ads, saying: “I don't think most people want to live in a world where you can only post things that tech companies judge to be 100% true.”
Facebook rejected a request from Presidential hopeful Joe Biden to remove a Trump campaign ad containing misinformation about the former Veep.
Last month, Twitter stepped up the pressure on Facebook by announcing a ban on political advertising on its platform. However, experts argued that Twitter doesn’t host many political ads anyway, and the move would do nothing to stem the flow of misinformation ahead of elections coming from bot accounts.
An Indian ed tech provider suffered a serious data breach months ago impacting hundreds of thousands of customers, but is only now informing them of the incident.
Vedantu offers a real-time online learning environment for teachers and students from its headquarters in Bengaluru.
However, it was hit by an attack back in July that exposed the personal data of 687,000 users, according to breach notification site HaveIBeenPwned?
“The JSON formatted database dump exposed extensive personal information including email and IP address, names, phone numbers, genders and passwords stored as bcrypt hashes,” the note explained. “When contacted about the incident, Vedantu advised that they were aware of the breach and were in the process of informing their customers.”
Reports suggest that the culprit may have been an exposed MongoDB instance, although this has yet to be confirmed.
Although the passwords appear to have been encrypted, there’s plenty of other personal information in the breach that could give the hackers an opportunity to craft convincing follow-on phishing attacks and identity theft attempts.
Ray Walsh, digital privacy advocate at ProPrivacy, said it’s a concern the breach wasn’t discovered earlier by Vedantu.
“What’s more, because phone numbers were stolen along with names and addresses, it is possible that users could have fallen victim to phone scams designed to steal their money — or perhaps even a SIM swap attack that could have resulted in the dual-factor authentication for their online accounts, or perhaps even their internet banking, being compromised,” he added.
“Any user who believes they have been affected by this data breach is advised to keep a close eye on any emails, messages, or phone calls they receive that could be using data stolen from Vedantu to coerce them into parting with further data or clicking on malicious links.”
A Pentagon advisory board has published a set of guidelines on the ethical use of artificial intelligence (AI) during warfare.
In "AI Principles: Recommendations on the Ethical Use of Artificial Intelligence by the Department of Defense," the Defense Innovation Board (DIB) shied away from actionable proposals in favor of high-level ethical goals.
In its recommendations, the board wrote that the Department of Defense's AI systems should be responsible, equitable, traceable, reliable, and governable.
Since AI systems are tools with no legal or moral agency, the board wrote that human beings must remain responsible for their development, deployment, use, and outcomes.
As far as being equitable, the board wrote that the Department of Defense (DoD) "should take deliberate steps to avoid unintended bias in the development and deployment of combat or non-combat AI systems that would inadvertently cause harm to persons."
To ensure AI-enabled systems are traceable, the board recommended the use of transparent and auditable methodologies, data sources, and design procedure and documentation.
The board recommended that the DoD's AI should be as reliable as possible, and because reliability can never be guaranteed, that it should always be governable. That way, systems "that demonstrate unintended escalatory or other behavior" can be switched off.
The board called for ethics to be an integral part of the development process for all new AI technology, rather than an afterthought.
"Ethics cannot be 'bolted on' after a widget is built or considered only once a deployed process unfolds, and policy cannot wait for scientists and engineers to figure out particular technology problems. Rather, there must be an integrated, iterative development of technology with ethics, law and policy considerations happening alongside technological development," wrote the board.
Although the public sector, including the European Commission, the United Kingdom House of Lords, and ministries or groups from the governments of Germany, France, Australia, Canada, Singapore, and Dubai have all formulated AI ethics or governance documents, the US is unique in offering AI guidelines specific to the military.
"What is noteworthy when canvassing the plethora of available AI Ethics Principles documents is that there is no other military in the world that has offered its approach to ethical design, development, and deployment of AI systems. In this respect, DoD is leading in this space, showing its commitments to ethics and law" wrote the board.
Since DIB's recommendations are not legally binding, it is now up to the Pentagon to decide if the board's guidelines should be followed.
America's Midwest is to get its first National Guard cyber battalion.
The 127th Cyber Battalion will comprise 100 soldiers, who will be based in Indiana. Before taking up their new command, the soldiers will head to the Muscatatuck Urban Training Center in Jennings County, where they will receive state-of-the-art training in cybersecurity and cyber-warfare.
Located 75 miles southeast of Indianapolis, the center features live environments for cyber- and electronic warfare testing and training. The soldiers will be challenged to neutralize attacks in realistic simulations of incidents that have occurred in the past and attacks that could be launched in the future.
Additional training will be provided to the soldiers by Ivy Tech Community College Cyber Academy at Muscatatuck.
"With our National Guard's current cyber resources and Indiana's top-notch academic institutions, our state is a natural fit for one of the country's first cyber battalions," Indiana governor Eric Holcomb said in a statement.
"Warfare is becoming increasingly digital, and it's an honor for Indiana to be home to those who protect our country from computer-generated threats."
Indiana beat nineteen other states and territories to become the battalion's new home. Officials chose the Hoosier State for its existing cyber capabilities, partnerships with industry and academia, and its proven ability to recruit and retain soldiers.
The 127th Cyber Battalion is the Army National Guard's fifth cyber battalion. Two battalions are already up and running in Virginia, and South Carolina and Massachusetts each have one.
Indiana's new battalion is expected to attain its full operational capability by 2022. The 127th will serve under the Army National Guard's 91st Cyber Brigade, which was established in 2016 in Virginia.
Most of Indiana's new battalion of cyber-soldiers will serve part-time on top of pursuing civilian careers. Once qualified, they will offer cybersecurity expertise to companies, providing training readiness oversight to conduct cyberspace operations, network vulnerability assessments, security cooperation partnerships, and FEMA support along with cyberspace support of federal requirements.
“The Army National Guard’s role in national cybersecurity provides a larger blanket of protection against our adversaries,” said Lt. Gen. Daniel R. Hokanson of the Army National Guard.
A malicious Android app that displays advertisements and facilitates the download of additional malicious apps has infected over 45,000 devices in six months.
Researchers at Symantec observed a surge in detections of the Xhelper app, which has mainly been targeting users in the US, India, and Russia.
This annoying app, which bombards infected devices with pop-up advertisements, is tricky to find because it has been designed to not appear on the system's launcher.
In addition to playing an irritating game of hide and seek, Xhelper has proved to be more tenacious than a 5-year-old in a candy store by repeatedly reinstalling itself on devices from which it's been removed and even on devices that have been restored to their factory settings.
Researchers wrote: "We have seen many users posting about Xhelper on online forums, complaining about random pop-up advertisements and how the malware keeps showing up even after they have manually uninstalled it."
With no app icon visible on the launcher, Xhelper can’t be launched manually. Instead, the malicious app gets its green lights from external events, leaping into action when a compromised device is rebooted, an app is added or removed from the device, or the device is connected or disconnected from a power supply.
The launched malware has cunningly been designed to register itself on the device as a foreground service, lowering its risk of being quashed when the device's memory is low.
"For persistence, the malware restarts its service if it is stopped; a common tactic used by mobile malware," wrote researchers.
Once Xhelper has settled into the device's lounge and popped its feet up on the coffee table, it begins decrypting to memory the malicious payload embedded in its package. The payload then connects to the threat actor's command and control (C&C) server and waits for commands.
"Upon successful connection to the C&C server, additional payloads such as droppers, clickers, and rootkits, may be downloaded to the compromised device. We believe the pool of malware stored on the C&C server to be vast and varied in functionality, giving the attacker multiple options, including data theft or even complete takeover of the device," wrote researchers.
Symantec first spotted Xhelper back in March 2019 when it was visiting advertisement pages for monetization purposes. Since then, the malicious app's code has become more sophisticated, and researchers "strongly believe that the malware’s source code is still a work in progress."
Extending its data loss prevention (DLP) capabilities with the acquisition of the insider threat management provider, Proofpoint said that the combination of ObserveIT’s lightweight endpoint agent technology and data risk analytics with Proofpoint’s information classification, threat detection and intelligence, will offer “unprecedented insights into user activity with their sensitive data.” The transaction is expected to close in the fourth quarter of 2019.
ObserveIT’s insider threat management solution enables security teams to detect, investigate, and prevent potential insider threat incidents by delivering real-time alerts, and actionable insights into user activity in one solution. Set to be integrated with Proofpoint’s information protection suite, this will deliver real-time detection of the anomalous interactions across people, data, devices, and applications allowing security teams to understand and respond to data being mishandled, whether on a corporate device, in a cloud app like Office 365, or via email.
“Today’s ObserveIT acquisition underscores Proofpoint’s commitment to providing organizations with people-centric cybersecurity and compliance solutions that protect what matters: their people and the data they have access to, in a post-perimeter, cloud-first world,” said Gary Steele, chairman of the board and chief executive officer of Proofpoint.
“Defending data requires the ability to detect risky insider threat behavior and risky user activity, and swiftly mitigate risk across cloud apps, email, and endpoints. We are the only security company that provides organizations with deep visibility into their most attacked people—and with ObserveIT, we will bring to market the first truly innovative enterprise DLP offering in years. We are thrilled to welcome ObserveIT’s employees and customers to Proofpoint.”
Mike McKee, CEO of ObserveIT, said that Proofpoint’s leadership in people-centric cybersecurity, broader intelligence and R&D resources “are significant market differentiators and directly complement our ability to quickly detect insider threats and prevent critical information loss.”
McKee added: “We are very excited to join the Proofpoint team and provide customers with even more powerful solutions to mitigate insider threats, decrease incident investigation time, and make sure users don’t intentionally or accidentally send valuable, confidential information externally.”
The US government will soon partially relax its block on Huawei by allowing domestic tech firms to sell it components, according to the Commerce Department.
Although Donald Trump in June signaled a softening of Washington’s hardline approach to the Chinese giant, when he said he’d allow some US firms to start supplying the company again, the all-important licenses have still not appeared.
Commerce secretary Wilbur Ross said on Sunday that these “will be forthcoming very shortly,” according to Bloomberg.
This will help US firms which have seen rival companies in Asia pick up lucrative contracts to sell Huawei various components, after Trump approved a decision to put the Shenzen firm and 70 affiliates on an “entity list.”
It’s telling that the Commerce Department has already received 260 requests from US firms for licenses to circumvent Huawei’s blacklisting.
“That’s a lot of applications. It’s frankly more than we would’ve thought,” Ross reportedly said. “Remember too with entity lists there’s a presumption of denial. So the safe thing for these companies would be to assume denial, even though we will obviously approve quite a few of them.”
Huawei has subsequently been joined on the entity list by over 20 other Chinese firms, including AMD joint venture partner Tianjin Haiguang Advanced Technology Investment Company, surveillance tech giants Hikvision and Dahua Technology, and supercomputer builders Sugon and the Wuxi Jiangnan Institute of Computing Technology.
US firms are also fearful of a reprisal from China, which could put them on a tit-for-tat blacklist, making it difficult to sell their wares in the giant eastern market.
For its part, Huawei has been bullish about its growth prospects, despite the intense pressure from Washington, which has also barred it from competing in the US telecoms market.
It denies all claims of being a US national security risk and still hopes to be the world’s leading smartphone maker by volume by 2020
Media giant Nikkei has become the latest firm to suffer a humiliating Business Email Compromise (BEC), after it admitted losing $29m to scammers following human error.
The Tokyo-headquartered firm, which owns the Financial Times, revealed in a brief statement that an employee of its US subsidiary made the crucial mistake.
“In late September 2019, an employee of Nikkei America, Inc. … transferred approximately $29m Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei,” it noted.
“Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the US and Hong Kong. Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations.”
Nikkei follows a long line of big-name organizations which have been caught out over recent months and years.
Most notably, tech giants Facebook and Google were both tricked into making huge money transfers, of $99m and $23m respectively — although those attacks appear to have been more sophisticated than the one affecting Nikkei.
BEC scammers are also looking to take a leaf out of the ransomware playbook by targeting US municipalities.
The City of Ocala in Florida is said to have lost $742,000 after an official was tricked by a spear-phishing email. The message was sent by an attacker posing as an employee of a building firm the authority is currently using to construct an airport terminal.
When the real construction company complained that an invoice had not been paid, the alarm was raised, according to local reports.
BEC cost global organizations $1.3bn last year, almost half of total losses reported to the FBI.
A global internet registrar with millions of customers has admitted suffering a data breach in August which exposed user account information.
US-based Web.com, and subsidiaries Network Solutions and Register.com, discovered on October 16 that they were hit by an attack late in August.
“Our investigation indicates that account information for current and former Web.com customers may have been accessed,” the firm said in a statement.
“This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder. We encrypt credit card numbers and no credit card data was compromised as a result of this incident.”
The firm said it brought an independent cybersecurity firm on board “immediately” after discovering the unauthorized access, in order to determine the scope of the incident and what data was affected.
“We are notifying affected customers through email and via our website, and as an additional precaution are requiring all users to reset their account passwords,” it added.
Although credit card numbers are encrypted in line with PCI DSS standards, Web.com urged customers to keep an eye on card activity.
However, the other stolen information could put customers at risk of follow-on phishing and identity fraud attempts.
Network Solutions is the fifth largest registrar in the world, with almost seven million accounts to its name, although it’s unclear how many were affected by this incident.
Matthew Ulery, chief product officer at SecureAuth, argued that the attack highlights the need for more streamlined, intelligent authentication security to protect employee accounts.
“Attackers are simply walking through the front door of enterprises, gaining unauthorized access and looting PII, further exacerbating the identity security crisis. This attack is a major wake up call for organizations to improve their identity security approach,” he added.