Info Security

Subscribe to Info Security  feed
Updated: 2 hours 53 min ago

UK Teen Admits Mass Email Bomb Hoax

Wed, 09/05/2018 - 10:39
UK Teen Admits Mass Email Bomb Hoax

A Hertfordshire teenager has admitted emailing bomb threats to thousands of schools and disrupting a flight to San Francisco over the past few months.

George Duke-Cohan, 19, pleaded guilty at Luton Magistrates Court to three counts of making hoax bomb threats, according to the National Crime Agency (NCA).

His campaign began in March when he emailed over 20,000 schools and colleges warning of a bomb threat which forced over 400 to be evacuated. According to Sky News the emails were spoofed to appear as if sent from the VeltPvP Minecraft gaming network.

Although arrested just days later, Duke-Cohan was at it again the following month, sending a mass email to schools in the UK and US claiming pipe bombs were hidden on the premises.

Then last month, he is said to have made phone calls to San Francisco airport and US law enforcers claiming an inbound United Airlines flight to San Francisco had been hijacked by gunmen.

According to the NCA, Duke-Cohan pretended to be a concerned father whose daughter aboard the flight had contacted him about the incident.

NCA and local police arrested him at home in Watford on August 31, recovering multiple electronic devices which were banned under the conditions of his bail.

Duke-Cohan has been remanded in custody and is due to appear at Luton Crown Court on September 21.

Duke-Cohan caused “serious worry and inconvenience to thousands of people,” including the 295 UA passengers who were grounded during a security operation following the flight's arrival in San Francisco, said NCA senior investigating officer, Marc Horsfall.

“He carried out these threats hidden behind a computer screen for his own enjoyment, with no consideration for the effect he was having on others. Despite being arrested and having conditions imposed restricting his use of technology, he persistently broke those conditions to continue his wave of violent threats,” he added.

“Law enforcement take such offenses extremely seriously. This investigation proves that operating online does not offer offenders anonymity. We will identify you and you will be brought before the courts.”

Categories: Cyber Risk News

Smart Home Users Failing on Security Basics

Wed, 09/05/2018 - 10:15
Smart Home Users Failing on Security Basics

Basic security mistakes such as weak passwords and unpatched firmware are exposing smart homes to heightened cyber-risk, according to Bitdefender.

The security vendor’s latest report, The IoT Threat Landscape and Top Smart Home Vulnerabilities in 2018, is compiled from data collected from its BOX IoT security product and interviews with consumers.

The average home is now filled with 20 smart devices, with 95% of vulnerabilities residing in the firmware, the vendor claimed.

Yet despite 60% of users claiming they’re concerned about identity and data theft and malware infection, many are failing to adequately protect IoT devices. Six out of 10 said they’d never performed a firmware update on their router, a figure dropping slightly to 55% for smart TV owners.

Only 60% of smart device users said they have different passwords for each smart device, while half of smart TV owners admitted they’d never changed their password.

Although 30% are worried about a hacker accessing a smart device camera to spy on them, 70% have at least one camera connected to a vulnerable router, Bitdefender claimed.

The firm said its BOX product blocked 461,718 threats in just a 30-day period, with most of them (76%) dangerous websites.

E-threat analyst, Bogdan Botezatu, argued that weak or single passwords for multiple devices, failure to patch, careless browsing and clicking on suspicious links/attachments can all open the cyber front door of the smart home to hackers.

Yet not only users are to blame.

“Smart device manufacturers share responsibility for the current state of IoT security because most of them are overlooking the security aspect,” he added. “In their rush to launch the product ahead of the competition, they are leaving attack avenues wide open to attackers interested in user sensitive data.”

A BSI kitemark initiative launched earlier this year should make it easier for consumers to choose products which have passed best practice standards for cybersecurity.

Categories: Cyber Risk News

BEC Fraud Hits 500K UK SMEs

Wed, 09/05/2018 - 09:26
BEC Fraud Hits 500K UK SMEs

Business email compromise (BEC) fraud attacks soared 58% over the past year, possibly affecting as many as half a million SMEs, according to new Lloyds Bank data.

The high street lender claimed that smaller UK firms are losing on average £27,000 per scam to impersonation fraudsters.

Law firms are most affected (19%), followed by HR, IT workers and finance companies.

However, the true scale of the challenge could be even greater, as one in 20 victims apparently hide their mistakes from colleagues for fear of being fired.

Half of respondents to the study claimed that scammers tried to impersonate the CEO, but even more (52%) posed as suppliers, highlighting the challenge facing organizations keen to shut down this growing risk.

The stats chime somewhat with recent figures from Barracuda Networks last week which revealed that the largest number of attacks focus on impersonating those outside of the C-level.

The new Lloyds bank figures are designed to come as part of an awareness raising exercise among small businesses with government-backed Get Safe Online.

“The most effective way to ward against these fraudsters is to double check the details. Verify any requests for amended payments to an organization directly using established contact details,” explained Get Safe Online CEO, Tony Neate. “If you’ve received a suspicious email, always check with the person you believe sent it by asking in person, phoning them or using a different trusted communication method."

Interestingly, the poll of 1500 SME workers revealed that millennials are most at risk of being targeted: 12% have been hit or know someone who has fallen victim to impersonation fraud.

According to FBI figures, scammers have now made over $12.5bn from BEC attacks since 2013. Attacks jumped 17% last year with nearly 89% of organizations polled by Proofpoint on the receiving end of at least one BEC scam.

Categories: Cyber Risk News

Multiple Vulnerabilities Found in Opsview Monitor

Tue, 09/04/2018 - 14:18
Multiple Vulnerabilities Found in Opsview Monitor

SecureAuth Core Security today published a vulnerability disclosure in conjunction with enterprise systems monitoring software provider Opsview. The publication of the disclosure is related to five vulnerabilities in the company’s Opsview Monitor product, which is a virtual appliance deployed inside an organization’s network infrastructure.

The product comes bundled with a web management console that monitors and manages both hosts and their services. “Opsview builds monitoring software that helps DevOps understand how the performance of their hybrid IT infrastructure & apps impacts business service delivery,” the advisory wrote.

“Opsview Monitor supports 3500 Nagios plugins and service checks making it easy to monitor everything from Docker and VMware to Amazon Web Services, Hyper-V and more. Multiple vulnerabilities were found in the Opsview Monitor, which would allow an attacker with access to the management console to execute commands on the operating system.”

Core Security initially notified Opsview and requested GPG keys in order to send a draft advisory on May 3, 2018. After receipt of the advisory, Opsview said it was able to reproduce all of the vulnerabilities and planned to release a fix by the end of July, according to the report timeline. Opsview and Core Security continued to communicate as the company worked on the remaining fixes. Both companies agreed on the September 4, 2018, date for advisory publication.

Of the vulnerabilities found, an attacker could use two of them – reflected Cross-Site Scripting (XSS) in diagnostics and persistent XSS in settings endpoint – to execute malicious JavaScript code in the context of a legitimate user.

The proof-of-concept (PoC) showed that “the input will be stored without any sanitization and rendered every time the /settings section is visited by the user. It's important to point that this XSS is self stored and it's executed only in the context of the victim's session. However, this vulnerability can be exploited by an attacker to gain persistency and execute the malicious code each time the victim accesses to the settings section,” according to the advisory.

The remaining three vulnerabilities include notification abuse leading to remote command execution, rancid test connection functionality abuse leading to command execution and script modification that could allow local privilege escalation.

Researchers Fernando Díaz and Fernando Catoira from Core Security Consulting Services discovered the vulnerabilities, and Leandro Cuozzo, a member of Core Advisories Team, coordinated the advisory publication.

Categories: Cyber Risk News

Premera Blue Cross Accused of Destroying Computer

Tue, 09/04/2018 - 13:46
Premera Blue Cross Accused of Destroying Computer

A motion has been filed on behalf of the plaintiffs in a class action lawsuit against Premera Blue Cross insurance. Filed on August 30, 2018, in the US District Court in Portland, Oregon, the motion alleges that the company failed to preserve evidence of potential data exfiltration in a security incident that occurred in March 2015.

According to the motion, “Plaintiffs move for sanctions against Defendant Premera for discovery misconduct. By willfully destroying: (a) a computer that the hackers used in the data breach and which may have held evidence of data exfiltration; and (b) data loss prevention software logs that may have shown evidence of data exfiltration, Premera spoliated key evidence and prejudiced Plaintiffs’ ability to achieve a rightful decision in this case.”

Because key evidence was reportedly destroyed, the motion also asked that the judge instruct jurors to presume exfiltration occurred; however, Premera has maintained that the security incident did not result in a data breach and that there was no exfiltration.

Evidence of whether there was any exfiltration has been confused by the multiple reports throughout the investigation. Plaintiffs initially understood that forensic evidence confirmed a data breach, but when they requested evidence, key information was missing.

“In particular, Plaintiffs asked Premera for two categories of evidence: (1) files contained on the hard drives of computers compromised by the hackers; and (2) log files from Premera’s various types of data security software – both of which can show evidence of exfiltration and both of which Premera destroyed well after Plaintiffs filed their complaints.”

In the aftermath of the March 2015 incident, Madiant, a FireEye company, had conducted the initial forensic investigation of all 35 computers involved. However, when the plaintiffs requested the forensic images to conduct their own investigation, Premera only provided evidence from 34 computers, claiming that the 35th computer had been destroyed.

The motion contends that Mandiant had indeed found evidence of exfiltration in an unusual RAR file, software commonly used by hackers to compress files. The 35th computer was reportedly a developer computer, named A23567-D.

“Mandiant found that A23567-D contained a unique piece of hacker-created malware that Mandiant called PHOTO,” the motion stated. Yet, when plaintiffs requested images from A23567-D, Premera confirmed that it had destroyed the computer and had done so after the lawsuits were filed.

Categories: Cyber Risk News

#CloudSec: Future CISOs More Integrated than Stressed in a Silo

Tue, 09/04/2018 - 13:14
#CloudSec: Future CISOs More Integrated than Stressed in a Silo

Talking on the changing role of the CISO and the security department internally at the Cloudsec conference in London, Leah MacMillan, SVP global marketing at Trend Micro, asked the panel if the role of the CISO was changing?

Carmina Lees, financial services managing director, Middle East & Africa at Accenture, referred to an instance where devices were compromised by a 15-year-old attacker and the CISO was called in at the weekend to deal with it “and you could hear the sheer panic and stress in her voice on how big it was.”

Martin Borrett, IBM distinguished engineer, and CTO of IBM Security Europe, said that as 2017 was “a major year for malware” he had to spend several weekends working on client sites to help them recover from instances, “and we learned a lot about patching and architectures.”

Looking at the changing role of the CISO, Lees said that CISOs are often tasked with being multi-skilled to be able to keep up with threats and present internally to the board, while Borrett said that “some are figureheads and public symbols, some are fall guys and [some in the] space between.”

Moving on to the subject of the skills shortage, which a poll determined was “the biggest blocker to cybersecurity success this year,” Jane Frankland, CISO advisor, speaker and author, said that there was a need to “do a better job of explaining what cybersecurity is to kids, and go into organizations and understand the transfer of skills” from school to business, and create more ambassadors and evangelists to attract talent.

Asked by MacMillan what the key trends are in new technology, journalist Gary Miliefsky praised innovation for slowing down breaches, as he said he did not like the concept of “hacking back” but he said that the ability to document and record attackers for forensic purposes was positive.

The panel were united on the people aspect. Frankland said she would like to see a focus on people being able to do a better job, outlines on what is required of them to be a competent professional in the industry, and she called for a charter so professionals “can be held accountable.

“I want to see more focus on the people aspect, and equipping them with the tools needed: be they tech or soft skills, as they need a combination of both.”

Concluding on what the role of the CISO will look like in five years, Miliefsky explained that the future CISO will not be “someone in a security silo” but will be integrated with HR, IT and compliance, and integrated with the organization.

Categories: Cyber Risk News

MagentoCore Most Prolific Skimmer Campaign

Tue, 09/04/2018 - 13:10
MagentoCore Most Prolific Skimmer Campaign

Online retailers and consumers alike need to heed caution when making credit card purchases. Magento, a global e-commerce platform has been targeted by a single group planting skimmers on individual stores, according to security researcher William de Groot.

In the past six months, 7,339 individual stores have fallen victim to the online skimming campaign in which the identity and credit card information of consumers is stolen while they shop, making the MagentoCore skimmer the most successful to date, said de Groot.

“No campaign has been so prolific as the skimmer," he said. "The MagentoCore skimmers gain illicit access to the control panel of an e-commerce site, often with brute force techniques (automatically trying lots of passwords, sometimes for months). Once they succeed, an embedded piece of JavaScript is added to the HTML template."

While most of the affected merchants have recovered in just a few weeks, the malware has found a home for a full six months in 1,450 stores.

According to Magento's website, 51 million customers around the globe have made purchases from Magneto merchants. With 260,000 merchants reportedly using the Magneto platform, the hacker group continues to target new brands, successfully hijacking between 50 to 60 stores per day over the last two weeks.

Given that Magento is an open source platform, it is an optimal target of bad actors. “This latest attack was likely carried out through password guessing and exploited vulnerabilities in Magento servers that allowed hackers to take over vulnerable websites and create a malware backdoor to periodically inject malicious script,” said Devon Merchant, digital security and operations manager of The Media Trust.

“The vulnerabilities might lie in the web application source code, enabling bad actors to manipulate the code and inject rogue script into the HTML template. The script then logs keystrokes and sends them to a command-and-control server.”

E-commerce stores that use the platform are advised to take a more proactive approach to securing their sites. “Given the sophistication of malicious campaigns, they should work closely with their third-party code providers on cleaning up their digital ecosystem. Moreover, they should continuously scan these sites for any unauthorized actors and activities,” Merchant said.

Categories: Cyber Risk News

#Cloudsec: Arrested Teenage Hackers can be Cybersecurity’s Future Stars

Tue, 09/04/2018 - 12:39
#Cloudsec: Arrested Teenage Hackers can be Cybersecurity’s Future Stars

Speaking at the Trend Micro Cloudsec conference in London, Trend Micro’s VP security research, Rik Ferguson, said that it is important to know what is going on inside the cyber-criminal’s mind, and what their motivations are.

Leading to a discussion around hiring ‘black hat’ hackers, the panelists agreed that there are instances where teenagers will use a malware tool to get ahead in an online game without realizing the criminal aspect of what they are doing. Paul Hoare, head of cybercrime incident management at the NCCU, said that there were opportunities for white hats to mentor these people “as they can be arrested at 15 and it is an issue we see a lot of.”

Asked by Ferguson if it was right to hire black hats, Charlie McMurdie, former head of the Police National Cyber Crime Unit and former senior Cyber Crime Advisor at PwC, said that it is easy to stereotype and not hire a certain person as “they present a risk and a vulnerability to your organization.” She explained she had come across numerous hackers who were employed by numerous businesses, but when you talk to them about how they committed their attacks, it becomes clear it does not require a lot of skills and a lot of youngsters are not that sophisticated and subsequently are arrested and charged, and later hired by businesses.

“Where they are really useful sometimes is to understand their motivation and why they did certain things, and how they got involved in certain acts, rather than hiring them for their technical capability – that is a big stereotype as some of them are very clever and very well informed,” she said.

“The debate is really on whether you would trust a hacker who has committed that offence to run loose within your organization and within your network.”

McMurdie added that some of those hackers, who were arrested as teenagers, are now doing Masters degrees and research in the cybersecurity arena.

“I think early intervention is a great opportunity, particularly with the youngsters.” She likened practising and honing skills like a sportsman would, and praised work done by industry to create environments to develop skills and motivations.

Ian McCormack, technical director for risk at the NCSC, said he agreed with that concept, as an important attribute of a person is an inquisitive nature, and an interest in how things work. “I don’t want to draw this as black and white, but look at their motivations,” he said. “It is far more productive for everyone if we can channel that into a positive direction, and encourage them to look at things like Cyber First and Cyber Security Challenge that they can participate in.”

Nicole van der Meulen, senior strategic analyst at Europol, argued that until now it has been very black and white, and when arresting a teenager “you basically commit them to a life sentence and that is very problematic.”

She added that role models would have to be within their peer group for them to take notice, and teachers of today may not be equipped with the right education.

Asked by Ferguson if we need to do more within schools as an industry, Hoare said that the issue is commonly that the pupils know more about the subject than the teacher, and active engagement has had a positive response.

Categories: Cyber Risk News

Crypto Spat Sees BTG Delisted from Exchange After Attack

Tue, 09/04/2018 - 11:01
Crypto Spat Sees BTG Delisted from Exchange After Attack

A major cryptocurrency exchange has delisted Bitcoin Gold (BTG) after the latter refused to pay $250,000 to cover losses it suffered from a major cyber-attack earlier this year.

Back in May, an attacker is said to have rented servers from the cloud mining marketplace NiceHash to carry out a 51% attack on BTG, allowing them to hijack the blockchain to then perform a so-called “double spend” attack.

The latter saw the attackers send BTG tokens to various exchanges, trade them for other coins and then cash out, before returning the original BTG tokens to their wallet. They could do this as they had temporary control of the blockchain.

It’s thought that hackers stole as much as $18m in BTG based on prices at the time.

BTG refused to pay half of Bittrex’s losses as demanded because it maintains that it did plenty at the time to warn the exchanges of impending double spend attacks. It said it handed over the attacker’s wallet address, advised them to raise confirmation requirements and urged them to flag and review any “unusually large” deposits.

“Despite all of our efforts, Bittrex was the victim of the last and largest BTG double-spend the attackers performed. The attackers deposited 12,371 BTG from the wallet we previously identified,” explained the firm.

“Several hours later, Bittrex allowed them to trade that BTG and withdraw some amount of other coins, and then the attackers used the 51% attack to double-spend those BTG, invalidating their original deposit. We feel it’s clear that we took every reasonable step to try to help ensure Bittrex’s safety against this threat.”

Although no customer funds were at risk in this instance, the incident is another example of the problems that can arise from burgeoning digital currency systems.

Categories: Cyber Risk News

ICO Breach Reports Jump 75% as Human Error Dominates

Tue, 09/04/2018 - 09:22
ICO Breach Reports Jump 75% as Human Error Dominates

The volume of data breach incidents reported to the UK’s watchdog over the past two years increased 75% as organizations geared up for the new data protection regime, according to a new FOI request.

Risk management firm Kroll also found that human error accounted for the vast majority (88%) of incidents reported to the Information Commissioner’s Office (ICO) over the past year: 2124 reports versus just 292 cases that were down to deliberate cyber-attacks.

Of these, data emailed to the wrong recipient (447) topped the list, followed by data posted/faxed to the incorrect recipient (441), loss/theft of paperwork (438), failure to redact data (256) and data left in an insecure location (164).

Unauthorized access, malware and phishing were the most common forms of deliberate attack leading to a breach.

“Effective cybersecurity is not just about technology. Often, companies buy the latest software to protect themselves from hackers, but fail to instigate the data management processes and education of employees required to mitigate the risks,” said Kroll MD, Andrew Beckett. “The majority of data breaches, and even many cyber-attacks, could be prevented by human vigilance or the implementation of relatively simple security procedures.”

The health sector accounted for the vast majority of incidents reported in 2017/18, but that’s in part down to pre-GDPR mandatory reporting rules for the sector. In fact, the “general business” category saw the biggest rise in incidents from 2016/17 to 2017/18 (215%), followed by education and childcare (142%), justice (128%) and legal (112%).

Beckett claimed the FOI results represent only a snapshot of the true scale of data breach incidents in the UK.

"Now that the regulation is in force, we would expect to see a significant surge in the number of incidents reported as the GDPR imposes a duty on all organizations to report certain types of personal data breach," he said.

“We would also expect to see an increase in the value of penalties issued as the maximum possible fine has risen from £500,000 to €20m or 4% of annual turnover, whichever is higher. The ultimate impact is that businesses face not only a much greater financial risk around personal data, but also a heightened reputational risk.”

Categories: Cyber Risk News

Google Set to Restrict Tech Support Ads

Tue, 09/04/2018 - 08:53
Google Set to Restrict Tech Support Ads

Google has started restricting ads for tech support services ahead of rolling out a verification program to deal with rising levels of fraud enabled by advertising on its search platform.

The search giant claimed to have taken down more than 3.2 billion ads that violated its advertising policies: amounting to over 100 per second. However, the never-ending whack-a-mole effort against the scammers has taken another turn, according to David Graff, director of global product policy at the firm.

“Today, we’re taking another step. We’ve seen a rise in misleading ad experiences stemming from third-party technical support providers and have decided to begin restricting ads in this category globally,” he explained.

“For many years, we’ve consulted and worked with law enforcement and government agencies to address abuse in this area. As the fraudulent activity takes place off our platform, it’s increasingly difficult to separate the bad actors from the legitimate providers. That’s why in the coming months, we will roll out a verification program to ensure that only legitimate providers of third-party tech support can use our platform to reach consumers.”

It’s unclear what form the verification program will take, although Google has previously implemented such schemes to fight fraudulent ads for local locksmith services and addiction treatment centers. It claimed to have also banned ads for payday loans and bail bond services.

Tech support scams have been around for years, and all rely to an extent on tricking the user into paying for services they don’t need — sometimes even downloading info-stealing malware onto their computer in the process.

Often they come from cold callers pretending to be technicians at Microsoft or various ISPs, but users can also be scammed by fake security alert pop-ups on their screen if they visit a compromised web page.

Categories: Cyber Risk News

Bitfi Retracts ‘Unhackable’ Claims

Mon, 09/03/2018 - 11:01
Bitfi Retracts ‘Unhackable’ Claims

A cryptocurrency wallet device-maker has closed its bug bounty program and retracted claims it is unhackable after a researcher demonstrated yet another successful attack.

The $120 Bitfi device is backed by outspoken security pioneer John McAfee, who still claims it is unhackable despite researchers confirming they have been successful on multiple occasions.

“As part of our ongoing efforts to protect our customers we have hired an experienced Security Manager, who is confirming vulnerabilities that have been identified by researchers. Effective immediately we are closing the current bug bounty programs which have caused understandable anger and frustration among researchers,” read a statement from the company posted on Twitter.

“Effective immediately, we will be removing the ‘unhackable’ claim from our branding which has caused a significant amount of controversy. While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal.”

Researchers became increasingly frustrated with the firm, claiming that its definition of ‘hack’ was too narrow. To qualify for the $100,000 reward, it emerged that individuals had to access cryptocurrency from a device locked with an unknown passcode.

The final nail in the coffin of Bitfi’s controversial marketing strategy appears to have been a video of a successful cold boot attack posted by 15-year-old white hat Saleem Rasheed.

However, McAfee has doubled down on the claims, posting a $20m challenge on Twitter to hack the device.

Bitfi was given the “lamest vendor response” award at Black Hat USA this summer in light of its ongoing spat with the research community.

Categories: Cyber Risk News

Five Eyes Talk Tough on Encryption Backdoors

Mon, 09/03/2018 - 09:42
Five Eyes Talk Tough on Encryption Backdoors

The Five Eyes allies have threatened to introduce legislation if technology providers don’t help them to break end-to-end encryption in specific cases where private info is sought on suspects.

The five-country partnership of the UK, US, Australia, Canada and New Zealand met in Australia last week with homeland security, public safety and immigration ministers and attorneys-general in attendance.

The joint statements released following its conclusion ratcheted up the hyperbole on a subject where law enforcers and intelligence agencies on one side and technologists on the other are in deadlock.

“The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake,” it said. “Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.”

Governments want tech providers like Apple, Facebook and others to provide “lawful access solutions” to their products so they can request private info in cases where “a court or independent authority has authorized such access based on established legal standards.”

However, as leading encryption specialists have said time and again, such solutions cannot be engineered without undermining security of such services for hundreds of millions of law abiding users and businesses.

They have even written to FBI boss Christopher Wray demanding to know how it could be done.

Now the Five Eyes allies look like they’re getting close to forcing the hand of Silicon Valley.

“Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions,” the statement warned.

One alternative mooted in Germany is to allow police to hack suspects’ devices directly, thus bypassing the need for encryption backdoors.

Categories: Cyber Risk News

RansomWarrior Defeated with Decryption Tool

Mon, 09/03/2018 - 09:10
RansomWarrior Defeated with Decryption Tool

Security researchers have managed to crack new ransomware purporting to come from India, providing a decryption tool and usage guide for victims.

RansomWarrior was discovered by Check Point’s Malware Hunter Team in early August. Alongside instructions on how to pay using Bitcoin, a lock screen presents victims with a list of “bonus tips.”

These include suggestions for older users to ask a younger relative for help if they are confused about the process, and not to report the incident to police because it will cost valuable time and “they can’t help you anyways.”

The message concludes with the cheery: “Have a good day with love from India.”

However, the malware writers themselves appear to have made a few mistakes.

“Written in .NET, the executable itself isn’t obfuscated, packed, or otherwise protected, suggesting those behind it are relatively new to the game. In fact, the ‘encryption’ used by the ransomware is a stream cipher using a key randomly chosen from a list of 1000 hard-coded keys in RansomWarrior’s binary code,” said Check Point.

“As a result, the Check Point Research team has been able to extract those keys, and, as the key’s index is saved locally on the victim’s computer, provide the correct keys to the ransomware itself in order to unlock the files.”

Users simply execute the decryption tool as “administrator,” and when prompted, return to the original ransom note and click “get your important files back.”

A pop-up will notify when all files have been decrypted.

Cyber-criminals in general are increasingly eschewing ransomware in favor of easier ways to make money, such as cryptojacking.

Trend Micro reported last week that cryptocurrency mining malware detections soared a staggering 956% from 1H 2017 to the first six months of 2018. At the same time, ransomware detections grew by just 3% from the previous half year.

Categories: Cyber Risk News

Mobile Phishing Campaign Offered Free Flights

Fri, 08/31/2018 - 16:48
Mobile Phishing Campaign Offered Free Flights

A campaign recently reported by Farsight Security involved an internationalized domain name (IDN) "homograph-based" phishing website that tricked mobile users into inputting their personal information. The suspected phishing websites presented as commercial airline carriers – specifically Delta Airlines, easyJet and Ryanair – and offered free tickets, fooling users with the age-old bait-and-switch technique.

Users were asked to respond to a series of seemingly innocent questions and then share the free offer with 15 of their WhatsApp contacts before being directed to the URL where they could access the free tickets. After Farsight discovered the first suspected Delta phishing site, it immediately informed the company. According to Farsight researchers, the websites were optimized for mobile and failed to work smoothly on desktop, leaving mobile users as prime targets.

It’s not unusual for phishing scams to use spoofed sites and homograph domains to fool unsuspecting users with trusted brand names. “Users, especially on smaller mobile screens, may not be paying close attention to the URLs or domain names of sites to verify their legitimacy,” said Dirk Morris, chief product officer at Untangle.

Despite having been around for a while, these types of attacks remain largely successful. “Studies have shown that 95% of web-based attacks use social engineering to trick users,” said Atif Mushtaq, CEO at SlashNext.

“These types of contest phishing scams have become increasingly sophisticated, in large part because people are getting trained by their organizations to recognize fake emails, giveaway scams or imposter websites asking for credit card or login details.”

Being duped by sophisticated phishing scams is not uncommon, but there are common signs to look for in phishing scams. What users need to remember is that nothing is ever really free, explained Ajay Menendez, executive director, HUNT Program at SecureSet.

“Check the 'from' email address for any signs that it might not be legitimate, and look for numbers instead of letters or common misspellings or letters that are inverted or missing. Poor spelling and grammar can be giveaways in the body of the email," Menendez said.

“Your bank and other legitimate accounts will never ask for your social security number in an email. If you receive an email asking for this information, call your bank (and any other company who may be requesting this) to confirm. Never provide email, account information or passwords via email.”

"Many phishing scams will look very legitimate, he said, "so even if the email looks like it comes from your cable company, be extra cautious. This is an instance where an ounce of prevention is worth a pound of cure.”

Categories: Cyber Risk News

Orgs Still Feel Vulnerable Despite Cyber Standards

Fri, 08/31/2018 - 12:10
Orgs Still Feel Vulnerable Despite Cyber Standards

Even though the majority of companies across the globe have implemented cybersecurity standards, a new report from IT Governance USA found that companies still believe they are the likely target of an attack.

Since 2017, there has been a 25% increase in data breaches, according to the ISO 27001 Global Report, which also revealed that 68% of organizations are now using ISO 27001 – the international standard for best practices with information security management systems (ISMSs) – to achieve General Data Protection Regulation (GDPR) compliance. Despite this majority, cybersecurity remains a top concern for organizations worldwide.   

With regard to the GDPR, the report found that 43% of companies will be implementing an ISO 27001-compliant ISMS to enable them to maintain compliance with the EU GDPR. More than half of the respondents who have already implemented this standard (57%) reportedly did so because they believed they would gain a competitive advantage.

In fact, the overwhelming majority (89%) of organizations reported that improving their information security was the single greatest benefit of implementing ISO 27001.

“Implementing an ISO 27001-compliant ISMS is not only information security best practice but is also integral to demonstrating data protection compliance,” the report stated. “Even if you do suffer a breach, regulators show leniency to organizations that have certified to ISO 27001 because they are able to demonstrate that they are following information security best practice.”

Perhaps that is why two-thirds of 128 organizations that participated in the survey believe implementing ISO 27001 improves their security posture, reflecting a 3% jump from the 2016 and 2015 reports.

“Unfortunately, as long as cybercrime remains a lucrative trade, risks will continue to escalate, and attackers will continue to proliferate,” said Alan Calder, founder and executive chairman of IT Governance. “To counter this, organizations need to be fully prepared. ISO 27001, an information security standard designed to minimize risks and mitigate damage, offers the preparedness organizations need.”

Categories: Cyber Risk News

43% of Security Pros Could Execute Insider Attack

Fri, 08/31/2018 - 11:42
43% of Security Pros Could Execute Insider Attack

A recent survey of nearly 200 IT professionals about insider threats found that nearly half of the participants believed they could successfully attack their organizations from the inside. In a blog post earlier this week Imperva researchers reported on insider threats and revealed the findings of the recent survey. 

Of the 179 IT professionals who participated in the survey, 43% said they were confident they could execute an insider attack. Only a third said carrying out an insider attack would be either difficult or impossible, while a mere 22% felt they had a 50/50 chance of successfully stealing information from the inside.

When asked how they would execute a successful insider attack, 23% said they would use their company-owned laptop to steal information from the organization, 20% would use their personal computers, and 19% would use their own laptops.

“The continued reliance on data for today’s businesses means more people within an organization have access to it,” explained Imperva CTO Terry Ray. “The result is a corresponding increase in data breaches by insiders either through intentional (stealing) or unintentional (negligent) behavior of employees and partners."

“While the most sensational headlines typically involve infiltrating an ironclad security system or an enormous and well-funded team of insurgents, the truth of how hackers are able to penetrate your system may be less obvious: it’s your employees,” he continued.

Insider threats continue to rank top concerns when it comes to cybersecurity threats, suggesting that every company could potentially fall victim to an insider-related breach whether from a malicious actor or an unintended threat.

“It’s much better to put the necessary security measures in place now than to spend millions of dollars later," Ray said. "Every company can take some basic steps in their security posture to minimize insider threats, including background checks, monitoring employee behavior, using the principle of least privilege, controlling and monitoring user access, and educating employees.”

Categories: Cyber Risk News

BEC Analysis Reveals Organization-Wide Threat

Fri, 08/31/2018 - 10:45
BEC Analysis Reveals Organization-Wide Threat

Around half of those that receive and are impersonated in Business Email Compromise (BEC) scams aren’t C-level or finance/HR employees, highlighting the importance of a company-wide policy to mitigate the threat, according to new research.

Security firm Barracuda Networks analyzed 3000 BEC campaigns to better understand where and how attackers are focusing their efforts.

Sometimes referred to as “CEO fraud,” the scams often work by impersonating a company boss — either by spoofing their email domain or phishing/cracking their account —and then trying to persuade a member of the finance team to make a large corporate fund transfer to a third-party account.

However, while CEOs accounted for the largest single role impersonated in the scams (43%), an even bigger proportion (48%) came from a long tail of other roles outside the C-level, finance and HR functions.

When it came to recipients, Barracuda Networks found that 54% also came from non-C-suite, finance or HR roles. The next most popular recipients were CFOs (17%) and finance/HR staff (17%).

“As you can see, almost half of the impersonated roles and more than half of targets are not of ‘sensitive’ positions, such as executives, finance or HR,” explained content security services vice-president, Asaf Cidon. “Therefore, simply protecting employees in sensitive departments is not sufficient to protect against BEC.”

The research also found that, although 40% of BEC emails contained a malicious link, the vast majority did not, making it harder for traditional security filters to spot them.

Some 47% requested a direct wire transfer, while 12% sought to establish a rapport with the recipient — presumably before requesting the transfer — and a further 12% were designed to steal personally identifiable information (PII).

Barracuda Networks recommended firms implement a combination of technology designed to combat spear-phishing, often the first stage in a BEC attack, and user education to improve awareness of scams.

Neil Larkins, CTO of Egress Software Technologies, added that AI tools can also be used to improve detection.

“By analyzing people’s email behavior, smart technology can now recognize patterns and highlight anomalies,” he said.

“In cases where a phishing email requires an individual to respond, they can be alerted to the fact they haven’t emailed this recipient before or that the recipient’s domain is not trusted — immediately raising red flags for the user in scenarios where cyber-criminals are leveraging established relationships.”

Categories: Cyber Risk News

Cryptojackers Exploit Critical Apache Struts Flaw

Fri, 08/31/2018 - 09:45
Cryptojackers Exploit Critical Apache Struts Flaw

A critical Apache Struts vulnerability disclosed last week is being actively exploited in the wild to maliciously install a popular cryptocurrency miner on victim systems, according to researchers.

Experts at security vendor Volexity warned earlier this week that they spotted the activity shortly after a proof-of-concept exploit was made public.

“The in-the-wild attacks observed thus far appear to have been taken directly from the publicly posted PoC code. In this instance, Apache Struts is vulnerable due to a improper validation of namespace input data, and the flaw is trivial to exploit,” the firm explained.

“Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses and”

The CVSS 10.0 vulnerability was revealed last week, with experts urging admins to patch as soon as possible to protect their systems. A flaw in the popular web application framework was exploited infamously last year when Equifax failed to apply an available update, resulting in a data breach though to have affected nearly half of all Americans.

Advice from the Apache Software Foundation is to upgrade to Struts 2.3.35 or Struts 2.5.17.

There could be more danger ahead for organizations which fail to patch promptly, as the flaw itself enables remote code execution and could theoretically allow attackers to access a targeted system.

Recorded Future revealed it had “detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,” while Volexity claimed it has “observed multiple APT groups leveraging Apache Struts vulnerabilities to gain access to target networks.”

Trend Micro revealed in its midyear roundup report this week that detections for cryptocurrency miners rocketed 956% from the first half of 2017 to the first six months of this year.

Categories: Cyber Risk News

Most NHS Trusts Provide No Alternative to Consumer IM

Fri, 08/31/2018 - 09:20
Most NHS Trusts Provide No Alternative to Consumer IM

The majority of England’s NHS Trusts could be exposing themselves to privacy and compliance risk by using consumer IM tools, a new Freedom of Information request has revealed.

Mobile solutions provider CommonTime analyzed responses from 136 of the country’s 151 hospital trusts to find that over half (58%) have no policy in place to discourage the use of consumer-grade IM platforms like WhatsApp and iMessage.

A further 56% provided no approved alternative to staff for these messaging applications, six trusts listed them as official communications channels, and 17 trusts said they’d banned the apps altogether.

A previous report from the vendor revealed that use of such applications is widespread in the health service as healthcare workers under huge amounts of pressure look for easy ways to communicate and share patient data.

It found that 43% of NHS staff are reliant on instant messaging at work, with many claiming patient care would suffer if they didn’t have access to the technology.

However, doing so can cause compliance problems and raise issues around patient privacy.

The report cited multiple anonymous examples given by responding NHS employees of patient data sent to the wrong person, sometimes outside of the health service; sharing of patient addresses and phone numbers and unauthorized access to patient details.

“When considering the usage of WhatsApp and other consumer messaging apps within a GDPR context, a health service data controller must consider if they are able to provide a copy of data if requested by a patient and that they able to erase personal data when requested,” claimed CommonTime head of IT and security, David Juby.

It was estimated that around half a million NHS employees rely on IM tools at work: including both clinical and non-clinical staff.

CommonTime’s head of healthcare, Steve Carvell, argued that staff needed to be given more data protection guidance and the right tools to do their job securely.

“Where consumer messaging isn’t appropriate, trusts have a responsibility to provide alternative communication tools that are effective in supporting secure information flows in healthcare,” he said.

Categories: Cyber Risk News