Email account takeover (ATO) attacks often last for over a week and result from employees reusing passwords across multiple sites, according to new research from Barracuda Networks.
The security vendor teamed up with researchers at UC Berkeley to study the lifecycle of email ATO attacks, examining 159 compromised accounts across 111 organizations.
The study revealed that attacker dwell time for over a third of accounts was more than one week, emphasizing the importance of monitoring and threat removal tools to spot suspicious behavior post-compromise.
Interestingly, in a fifth (20%) of cases, compromised accounts featured in at least one previous password breach. This suggests that attackers are exploiting credential reuse to hijack accounts, either through credential stuffing or similar automated techniques, although phishing is still a popular way to obtain log-ins.
In the vast majority (93%) of ATO incidents studied, the attacker did not use the account to send out phishing emails, perhaps concerned that this would increase their chances of being exposed.
Barracuda speculated that instead, they could be using the accounts to launch conversation hijacking attacks, or that they had simply performed ATO in order to sell the account to another cyber-criminal.
Supporting the second theory is the fact that, in 31% of cases, accounts are compromised by one actor and then used by a different player to mine for information, or monetized in another way.
This again emphasizes the importance of rapid intrusion detection and response, the report claimed.
A single actor compromised and utilized accounts in 51% of cases.
Attackers are most likely to use hijacked email accounts to go after email-related Office 365 applications (78%). Of the remaining 22% cases, the majority (17%) featured attempts to access SharePoint for sensitive documents.
Over 1500 online databases and counting have been wiped by a mystery attacker, for no apparent reason other than they are misconfigured and exposed to the public internet.
Researcher Bob Diachenko was first to notice the campaign after he discovered a misconfigured database belonging to Hong Kong-based VPN provider UFO. After being notified, the company secured the data, only for it to reappear at a different IP address.
This time the attacker pounced, overwriting all data with the words “meow” and a string of random numbers. It appears as if no ransom note was left.
“After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address – all of the records destroyed now by a new ‘Meow’ bot attack,” tweeted Diachenko earlier this week. “[The] new Elasticsearch bot attack does not contain any ransom or threats, just 'meow' with a random set of numbers. It is quite fast and search&destroy new clusters pretty effectively.”
According to a Shodan search, there was 1269 impacted Elasticsearch servers globally and 276 MongoDB instances hit buy the “meow” bot at the time of writing. It’s unclear whether the attacker has first stolen victims’ data or if this is a purely destructive campaign.
Boris Cipot, senior security engineer at Synopsys, described the attacks as a “game changer” which may actually motivate organizations to follow security best practice.
“We’re seeing organizations rushing to identify and secure exposed databases, which is a much-needed and long overdue step for many firms. It’s alarming that by running a single Shodan search, we’re able to see just how many unsecured devices and services are out there – all of which are potential attack vectors,” he argued.
“There is the possibility that the attacker isn’t abusing the user data prior to its deletion. If that is in fact the case, meow attacks could actually be safeguarding users from more financially-driven malicious attackers. While the user would be impacted either way – having just lost whatever data was being stored on an affected database – at least it wouldn’t be held for ransom or sold on the dark web, for instance.”
The UK’s sporting organizations have been told to urgently improve cybersecurity after a new GCHQ report revealed that 70% have experienced a breach or incident in the past year, more than double the business average.
The National Cyber Security Center (NCSC) study also claimed that 30% of these organizations have experienced over five incidents in the past year.
In a sector said to contribute £37bn to the UK economy, it’s no surprise that most threats are financially motivated. Almost a third (30%) of incidents studied caused direct financial damage to the victim organization – on average, £10,000 per security breach, although one organization lost over £4m.
Tried-and-tested techniques are being used to compromise firms in the sector, including phishing, credential stuffing, malware and password spraying.
The most common threat is business email compromise (BEC). The NCSC claimed one Premier League football club nearly lost a £1m transfer fee to scammers after they hijacked the Office 365 account of its managing director. The scam was only stopped after the bank noticed a problem with the payee account.
Similarly, cyber-fraud was pegged as another common threat to sporting organizations: including not just BEC but also mandate fraud, CEO fraud, conveyancing fraud and invoice fraud. Three-quarters (75%) of surveyed firms had received fraudulent emails and at least 30% said they had experienced people fraudulently impersonating the organization in emails. Less than a third have DMARC configured, said the NCSC.
Two-fifths (40%) of attacks on sporting organizations involved some form of malware, with ransomware the biggest threat. One English Football League (EFL) club experienced a serious outage which hit virtually all endpoints, locally stored data and stadium CCTV and turnstiles, almost leading to the cancellation of a match.
“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber-criminals cashing in on this industry is very real,” said NCSC director of operations, Paul Chichester.
“I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime.”
Multi-factor authentication, role-based monitoring, improved cyber-awareness programs, business continuity plans and a board-level discussion of risk are all vital actions for the industry going forward, said the NCSC.
A recent Delaware Department of Health and Social Services data breach resulted in the private data of hundreds of disabled Delawareans' being included in a student project.
Data included in the breach included full names, birth dates, primary diagnosis, and county of residence.
The breach occurred when four students from the University of Delaware contacted a Delaware Division of Developmental Disabilities Services (DDDS) provider. The students reached out to request data for a project that aimed to use geo-mapping to detect gaps in the services received by DDDS recipients.
A DDDS employee who emailed out information in response to the students' request neglected to anonymize sensitive data. Their slip-up caused the private information of 350 recipients of DDDS support to be exposed.
The data breach was only discovered when the unwitting students included the sensitive data in a presentation on their senior project, given via Zoom on May 8.
According to WDEL, those affected by the breach were notified by letter. Dated June 29, the letter stated: "For the purposes of the project, the UD students requested information about service recipients living within a specific geographic area, as well as basic demographic information such as age range and disability status. In response, a DDDS staff person sent information, via email, to the four students on April 9, 2020, for use in their final project."
The information emailed to the students included highly sensitive data that the department admitted should have been "de-identified."
Social Security numbers included in the data sent out to students had been redacted.
According to the letter, action was taken to secure the data as soon as the breach was detected.
"DDDS senior leadership halted the presentation as soon as the personal information was presented," the letter said. "DDDS instructed the students to delete all files containing the data used in the project (including emails, shared files, and the presentation itself)."
While the staff member who claimed responsibility for the breach has been addressed "administratively," according to the DDDS, an investigation into the incident is ongoing.
Those impacted by the breach were not offered any form of free credit monitoring.
Louisiana State University's research entity has been awarded a $25m federal contract to create a digital dome capable of protecting the Pelican State's energy infrastructure from cyber-threats.
State Governor John Bel Edwards announced on Monday that the contract to carry out the groundbreaking work had been won by Stephenson Technologies Corp. Over the next five years, the company will create a virtual construction capable of protecting Port Fourchon and America's only offshore deepwater port, Louisiana Offshore Oil Port (LOOP).
Over 250 companies operate at Port Fourchon, which serves 90% of deepwater oil and gas activities in the Gulf of Mexico and handles around 15% of America's shipments of domestic and foreign oil. Daily traffic at the port can involve around 400 capacious supply vessels.
The digital dome will defend these assets by collecting, interpreting, and fusing electromagnetic signals in the area spanning Port Fourchon and its connection to LOOP. Cyber-threats will be neutralized after detection, and any intelligence gathered concerning nautical risks affecting vessels, passengers, and cargo will be passed on to coastal enforcement agencies.
Inspiration for the digital dome project came from an all-weather air defense system established in Israel in 2011.
“Perhaps the most exciting aspect of this project is we first envisioned it on our economic development mission to Israel in 2018,” Governor Edwards said.
“In viewing the Iron Dome that Israel created to protect its air defense systems, we glimpsed what Stephenson Technologies Corporation could create to protect our nation’s most vital energy gateway at Port Fourchon."
Edwards added that the project would be a boost to the state's burgeoning IT and cybersecurity industries.
"Not only will this project provide critical protection for the US energy supply, STC’s work will advance Louisiana’s growing base of cybersecurity and IT talent,” he said.
Funding for the digital dome project was awarded from the US Department of Defense’s Naval Research Laboratory.
LSU established Stephenson Technologies Corp. in 2016 with support from Louisiana Economic Development. The entity's creation was part of the university's strategy to strengthen its support of the defense community. Since its creation, Stephenson has gathered more than $60m in contract awards.
The Digital Stree Shakti program aims to teach 5000 females in 10 Maharashtra cities about how to stay safe while online. Participating students will be aged between 16 and 25.
Training will cover areas including fake profiles, account hacking, cyber-bullying, gender-based trolling, online harassment, stalking, morphing, cyber-grooming, revenge porn, sextortion, online fraud, email spoofing and dangerous internet dares.
The program will be taught in the form of webinar sessions, instructional videos, PowerPoint presentations, and online workshops. Young women who complete the training will be awarded the title of Cyber Sakhee.
Case studies taken from the real world will be included in the training, placing the very real danger of cyber-threats in context.
Responsible Netism is a non-profit start-up that aims to promote cyber-safety by educating children and young people about how to protect themselves while online. Founder Sonali Patankar revealed that the program hadn't been created solely as an educational tool.
“We also play the role of being a referral organization,’’ she said. “We connect participants facing online distress with the local law enforcement, local organizations and mental health professionals for any psychological support required in terms of counseling or other interventions.’’
Trainees will be taught how to detect and report cybercrimes and where to go if they become victims of cyber-threats such as virtual bullying. A recent study conducted by Responsible Netism and the Cyber Peace Foundation supported by Maharashtra State Council of Educational Research and Training found that 80% of school students aged 10 to 17 in Maharashtra do not report the cybercrimes they experience online to their parents, teachers, or the police.
Patankar said that courses would be available in Marathi, Hindi, and English, with students invited to choose whichever language they find most comfortable for their instruction.
Maharashtra State Commission for Women member secretary Aastha Luthra said: “Our initiative to empower young women digitally is a way to strengthen and make them more confident and competent to cope with the challenges which have emerged in the present times. The program also underscores the commitment and dedication of the commission.’’
Nearly half (43%) of UK and US employees have made errors leading to cybersecurity repercussions, according to a new study from Tessian. The analysis, undertaken in April during the height of the COVID-19 pandemic, suggests that the disruption and additional stress and distractions of remote working are making organizations more vulnerable to cyber-attacks facilitated by human error.
In the survey of 1000 workers in the UK and 1000 workers in the US, a quarter admitted to clicking on a link in a phishing email whilst at work. This most commonly occurred in the technology sector (47%).
Additionally, 20% of companies revealed they have lost customers due to sending an email to the wrong person. This was a mistake 58% of employees admitted to making and a further 10% said they had lost their job as a result.
Distraction was the biggest cause for these kinds of mistakes, according to the report. Nearly half (47%) highlighted being distracted as the main reason for falling for a phishing scam while 41% said this was the biggest factor in sending an email to the wrong person.
Other major reasons for clicking on phishing links were fatigue (44%) the perceived legitimacy of the email (43%) and because the emails purportedly came from a senior executive (41%) or well known brand (41%).
Over half of workers (52%) added that they make more mistakes at work when stressed, 43% when tired and 41% when distracted. Notably, 57% of workers stated they are more distracted when working from home.
With home working set to become much more common following the health crisis, the report suggests businesses need to focus on providing more extensive user awareness training.
Tim Sadler, CEO and co-founder of Tessian, commented: “To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate for each person.”
The Federal Trade Commission (FTC) has said COVID-19-related shopping scams are its top coronavirus-related consumer complaint.
Testifying before the Senate Commerce Committee Subcommittee on Manufacturing, Trade, and Consumer Protection on its efforts to combat scams and other consumer problems related to the ongoing COVID-19 pandemic, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said it has been monitoring consumer complaints and the marketplace for a variety of scams linked to the COVID-19 pandemic.
As well as deceptive advertising or marketing touting “miracle cures” for COVID-19, the FTC also detailed complaints about merchants offering masks, personal protective equipment and related products for sale but then failing to ship the promised products, meet delivery agreements and provide refunds to consumers.
To get these false treatment claims taken down as quickly as possible, the FTC has sent more than 250 warning letters to marketers regarding claims that their products will treat, cure or prevent COVID-19. In most cases, companies that have received such letters have taken steps to quickly correct their problematic claims. The FTC, however, reiterated that it will pursue law enforcement action when a warning letter does not stop the problem.
The FTC has also sent warning letters to multi-level marketing companies regarding COVID-19 prevention or treatment claims and earnings claims, VoIP service providers for “assisting and facilitating” illegal telemarketing or robocalls related to the COVID-19 pandemic.
Smith said it is often the case that, following reports of a health scare, deceptive advertising or marketing touting “miracle cures” quickly emerge. “The COVID-19 pandemic has put this cause and effect scenario into overdrive,” he warned. “Although some of these supposed ‘treatments’ seem facially preposterous, it is not uncommon for consumers in distress to be willing to try (and spend) anything in the hopes that it will protect them or their families from sickness or death.”
Smith said the FTC has “worked aggressively to educate consumers of all ages” about coronavirus-related scams from the onset of the pandemic, and FTC staff across the Bureau of Consumer Protection have conducted national and local outreach with partners to reach a variety of audiences. “The FTC also has provided outreach specifically on privacy during the coronavirus pandemic, a concern of many businesses and consumers as the pandemic has shifted the workplace from traditional office spaces to consumers’ homes,” he said.
“The pandemic has led to an increased reliance on technology to stay connected, and the Commission is staying abreast of privacy or data security issues that may arise so that consumers and businesses can better protect themselves in this increasingly virtual world.”
The FTC also announced complaints or settlements in more than 30 law enforcement matters, including settlements that will return more than $225m to consumers. Smith also urged Congress to pass legislation that would clarify that the agency does have authority under the FTC Act to obtain money for consumers from fraudsters and scammers.
The University of York has launched an investigation after it had personal details of staff and students stolen by hackers.
As outlined in a statement on the university’s website, the source of the breach was an attack on a third-party service provider, tech firm Blackbaud, which fell victim to ransomware in May 2020. The University of York was first informed of the incident on July 16.
“The cyber-criminal was able to remove a copy of a subset of data from a number of their [Blackbaud’s] clients. This included a subset of University of York data.”
The university uses the Blackbaud system to record engagement with members of the university community, including alumni, staff and students and extended networks and supporters, it outlined.
In terms of the data stolen, the University of York stated this may have included information such as name, date of birth and student number along with address, phone number, email address and professional details.
However, it said that a Backbaud investigation found that no encrypted information, such as bank account details or passwords were accessed, whilst no credit card information formed part of the data theft either.
“We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cyber-criminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cyber-criminal that the data had been destroyed,” the statement continued.
“There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.”
The university’s own investigation into the incident is ongoing and it has notified the UK's Information Commissioner’s Office (ICO).
Commenting on the story, Jake Moore, cybersecurity specialist at ESET, said: “Every single day that an organization delays informing those affected is another day where their data is in the wrong hands and is at risk of being abused by criminals. Victims must be made aware at the earliest opportunity and organizations need to urgently understand the huge risk those affected are at.
“The ICO states they need to be informed of an attack within 72 hours and threaten organizations with hefty fines, but this still doesn’t mean they will be forced to pay. This in turn increases the possibility of such organizations being slow to react when making those affected aware of the risks, and puts people’s personal information in jeopardy.”
Two Chinese state-backed hackers have been issued with an 11-count indictment alleging attempts to steal COVID-19 vaccines as part of a hacking spree lasting more than 10 years.
LI Xiaoyu, 34, and Dong Jiazhi, 33, are accused of targeting IP in high-tech, medical, pharma, engineering, business and other sectors in the US, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden and the UK.
Although sometimes acting for personal gain, such as trying to extort cryptocurrency by threatening to release stolen source code, they are said to have worked with the backing of the Chinese government.
Their targets over the 10+ year period included not only businesses but pro-democracy and human rights activists in the US, Hong Kong, China and elsewhere.
According to the indictment, they exploited vulnerabilities in web servers, web app development suites and software collaboration tools to gain a foothold into networks, sometimes targeting newly announced bugs. Web shells and credential harvesting tools were then deployed to enable remote code execution and persistence.
Data set to be exfiltrated was first packaged into RAR files, but the duo are said to have changed file names and extensions and system timestamps, and hidden documents in recycle bins and other locations, to stay hidden. On some occasions they revisited previously breached organizations years after the event, the DoJ claimed.
The two are charged with conspiring to steal IP from eight companies in the form of technology designs, manufacturing processes, test mechanisms and results, source code and pharmaceutical chemical structures.
Li and Dong would spend decades in prison if caught and convicted, although that’s unlikely to happen as long as they remain in China.
News of the indictment comes in the same week that the UK’s National Cyber Security Center (NCSC) warned that Kremlin hacking group APT29 (aka Cozy Bear) has been attempting to steal vaccine-related IP from organizations in the UK and North America.
Mandiant senior manager of analysis, Ben Read, argued that state-sponsored hackers have put a premium on stealing info on COVID-19 vaccines. He added that the pattern of conducting for-profit and for-government attacks is similar to “China-nexus” groups such as APT41.
“Mandiant has tracked this group since at least 2013, the targeting and description of their TTPs is consistent with what we have observed,” said Read.
“The Chinese government has long relied on contractors to conduct cyber-intrusions. Using these freelancers allows the government to access a wider array of talent, while also providing some deniability in conducting these operations.”
Almost a third of the global cybersecurity workforce is now female, but discrimination and a major gender pay gap continue to blight the industry, according to newly released findings from (ISC)2.
The security certifications company analyzed data from its (ISC)2 Cybersecurity Workforce Study in order to better understand the role women play in the sector.
Some of the findings were fairly positive: survey respondents estimated that women comprise more than 30% of their teams today, up from around a quarter last year.
What’s more, 63% said they planned a career in the industry from as early on as their university days, a greater proportion than for men (54%). Over half (53%) started their careers in the profession, versus just 38% of men.
Women also see cybersecurity as a long-term career: over two-thirds (68%) said they plan to stay put for the remainder of their working lives. Some 69% of women versus 66% of men said they are either very or somewhat satisfied with their jobs, with women more likely to be “very satisfied” (34% versus 27%).
Yet while this bodes well for the future, there are still major challenges facing women in cybersecurity which could perpetuate gender imbalance in the sector.
Over a fifth (22%) cited discrimination as an issue they’d experienced in their careers, versus just 13% of men.
Women are also being paid significantly less than men, especially in North America and Europe.
The average salary for female cybersecurity employees in North America is just under $80,000, versus an average of around $96,500 for men. In Europe, the average salary for women is about $40,500 compared to $67,000 for men.
Overall, women are paid around 21% less than their male counterparts globally. Although this may reflect much broader societal challenges, the need for parity is particularly urgent in a cybersecurity industry where skills shortages are so acute.
“Women in the field face more discrimination and receive lower compensation than men. If these inequities are corrected, the cybersecurity profession may attract more women,” concluded (ISC)2 community manager, Andrea Moore.
“This would benefit business, by boosting diversity and attracting different points of view, and for the industry, by helping to close the workforce gap of four million workers.”
Kaspersky is alerting SOC teams to a new malware framework it has discovered and linked to the notorious North Korean hacking group known as Lazarus.
Dubbed “MATA,” the framework has apparently been in use since around April 2018, mainly to aid in attacks designed to steal customer databases and distribute ransomware.
Since that time it appears to have been deployed in a wide variety of scenarios, targeting e-commerce firms, software developers and ISPs across Poland, Germany, Turkey, Korea, Japan and India.
The framework itself gives its controllers the flexibility to target Windows, Linux and macOS, and consists of several components including loader, orchestrator and plugins.
Kaspersky tied its use to the Lazarus group, which has been engaged for years in cyber-espionage and sabotage and, via its Bluenoroff subgroup, attempts to accrue illicit funds for its Pyongyang masters. The group was pegged for WannaCry, as well as sophisticated attacks on financial institutions including the infamous $81m raid of Bangladesh Bank.
Kaspersky senior researcher, Seongsu Park, argued that the latest attacks linked to Lazarus show it is willing to invest serious resources to develop new malware toolsets in the hunt for money and data.
“Furthermore, writing malware for Linux and macOS systems often indicates that the attacker feels that he has more than enough tools for the Windows platform, which the overwhelming majority of devices are run on. This approach is typically found among mature APT groups” he added.
“We expect the MATA framework to be developed even further and advise organizations to pay more attention to the security of their data, as it remains one of the key and most valuable resources that could be affected.”
The security vendor urged SOC teams to access the latest threat intelligence feeds, install dedicated security on all Windows, macOS and Linus endpoints, and to back-up regularly.
The strategic partnership was formed with the mission to give national corporate customers and small to medium enterprises (SME) in Europe access to world-class security services in the form of simple, prefabricated packages. Each package will be specifically designed by a trusted provider to meet the needs of the client.
In a statement released today, Vodafone described the new agreement with Accenture as "a key step forward in Vodafone Business’ strategy to offer enterprise-grade cybersecurity to businesses of all sizes."
As well as helping even the most petite of businesses, the partners have pledged to help all organizations regardless of where they fall on the spectrum of cybersecurity experience.
Vodafone said it will "bring enterprise-grade cybersecurity along with access to leading cyber talent and expertise to organizations that do not have the experience, time or resources to keep up with the rapidly evolving threat landscape."
Accenture and Vodafone Business have further revealed plans to jointly invest in security innovation in an effort to protect organizations from emerging cyber-threats.
Vinod Kumar, CEO of Vodafone Business, said the partnership will allow smaller companies to protect themselves with advanced solutions that may otherwise be beyond their grasp.
“We are committed to better support small and medium enterprises and national corporate sized businesses as they transform and ‘future ready’ their organization," said Kumar.
"Working with Accenture, we will leverage our combined capabilities and global experience to deliver modular security solutions, offering access to technologies that until now were only available to companies with large IT budgets."
Vodafone Business managed security services will launch later this year to SME and national corporate-sized businesses, initially in Italy and Spain, with the United Kingdom and Germany to follow.
Kelly Bissell, who leads Accenture Security globally, said the dangers of cybercrime to businesses everywhere should not be underestimated.
“The distinct nature of cybercrime makes it borderless and anonymous. Cybercriminals can come from anywhere and as they take advantage of the COVID-19 situation, they pose a significant threat to businesses of all sizes with costly consequences,” said Bissell.
OPAQ is a Secure Access Service Edge (SASE) cloud provider based in Herndon, Virginia. The company is known for its Zero Trust Network Access (ZTNA) cloud solution, designed to protect all kinds of distributed networks, including data centers, branch offices, remote users, and Internet of Things (IoT) devices.
Since being founded in 2017, OPAQ has opened office in 8 states across America and now employs around 50 people. Prior to its own acquisition, the company acquired Bat Blue Networks and Drawbridge Networks in 2017 and FourV Systems in 2018.
With Fortinet's acquisition of the company now complete, OPAQ's patented ZTNA solution has been combined with Fortinet’s existing SASE offering in a bid to form the best-in-class SASE cloud security platform.
According to Fortinet, this new platform will boast the industry’s only true zero trust access and security by providing industry-leading next-generation firewall and SD-WAN capabilities, web security, sandboxing, advanced endpoint, identity/multi-factor authentication, multi-cloud workload protection, cloud application security broker (CASB), browser isolation, and web application firewalling capabilities.
Fortinet is headquartered in Sunnyvale, California. The company was founded in 2000 by brothers Ken and Michael Xie.
Commenting on the acquisition, CEO and Chairman of the Board Ken Xie said: “The recent SASE market momentum further validates our Security-driven Networking approach and underscores what we’ve been saying for years. In this era of hyperconnectivity and expanding networks; with the network edge stretching across the entire digital infrastructure, networking and security must converge."
Xie said acquiring OPAQ would help Fortinet's SASE platform become the most comprehensive one in existence.
"The Fortinet SASE platform delivers the broadest security and industry-leading SD-WAN and networking offerings that can all be delivered to customers and partners through a flexible, cost efficient and patented zero-trust cloud architecture," said Ken.
"The acquisition of OPAQ actually further enhances our existing SASE offering enabling Fortinet to deliver the most complete SASE platform on the market."
In 2018, Fortinet purchased threat analytics company ZoneFox for $18m and IoT-focused security firm Bradford Networks for $17m.
A Texas college project to improve the cybersecurity and energy efficiency of commercial buildings is being supported by the United States Department of Energy (DOE).
The Securing Grid-Interactive Efficient Buildings through Cyber Defense and Resilient System project designed by Texas A&M University College of Engineering has received $3.5m from the DOE’s Building Technologies Office.
Over the next three years, the project aims to research, develop, and demonstrate a real-time, advanced, building-resilient platform through multi-layer prevention and adaption mechanisms.
Partnering with Texas A&M on the project are Raytheon Technologies Research Center, Drexel University, Arizona State University, Pacific Northwestern National Laboratory, and Northwestern University, among others.
To facilitate the project, a local testbed will be developed in Texas. There, a team led by Associate Professor Zheng O'Neill will use a hardware-in-the-loop simulation technique to explore and demonstrate potential approaches to cybersecurity and energy efficiency.
O'Neill's team is currently on the lookout for potential building partners who can help them to field test their cyber-defense and resilient system (CYDRES) in the third year of the project.
“The proposed CYDRES system will accurately identify cyber threats in real-time and offer immediate defense against malicious network activity,” O’Neill said.
“In addition, the fault detection, diagnostics, and prognosis and cyber-resilient control scheme will enhance grid-interactive efficient building tolerance to both cyber-related and physical faults while maximizing the potential energy savings and load flexibility and maintaining occupant satisfaction. CYDRES will be prototyped and tested in a hardware-in-the-loop and real building environment. The resulting test data will be used to inform the building community and support the technology transfer to the industry.”
O'Neill said current building automation systems (BAS) leave smart buildings vulnerable to attack as they are often designed and operated with little consideration of cybersecurity.
“Current physical behavior-based anomaly detection methods employed by building automation systems fail to differentiate cyber-attacks from equipment or operational faults,” she said. “Such distinction is critical in ensuring the appropriate automated mitigation, via control response, of cyber threats and providing actionable recommendations to facility managers.”
According to O'Neill, CYDRES should be effectively monitoring, detecting, and responding to cyber-attacks and physical system faults by the project's conclusion.
The COVID-19 crisis has created a ripe environment for fraudsters to operate, a recent online panel discussion held by security firm Kaspersky has outlined. This is primarily due to increased reliance of individuals on digital services as a result of lockdown restrictions.
In the session, it was revealed that online shopping fraud has risen by 55% compared to 2019 due to the substantial rise in eCommerce and home deliveries during the pandemic.
Additionally, since June, 2500 instances of COVID-19-related fraud have been reported, with losses totalling £7m. Other data highlighted in the discussion included a 35% increase in dating fraud, as more people turn to dating apps, and a 16% rise in courier fraud.
The panellists were David Emm, principal security researcher at Kaspersky, Claire Hatcher, global head of fraud prevention solutions at Kaspersky and detective superintendent Neil Jones of Greater Manchester Police in the UK.
As well as much greater use of the internet, the ongoing nature of the crisis and its health, economic and social implications has provided a unique opportunity for fraudsters to scam and trick people. Emm noted: “Consider Valentine’s Day, Black Friday, the Olympics, the World Cup; they are ‘here today, gone tomorrow’ topics that cyber-criminals can latch onto.
“Frankly, who in the world is not keenly interested in what’s going on with this pandemic? Everybody is, and therefore, fraudsters have a persistent topic that they can milk, week after week. It’s made people even more vulnerable than seasonal events.”
While attacks have primarily revolved around COVID-19 themes, the actual tactics used haven’t been especially novel; just increased and more targeted. Hatcher said: “It’s always a process of, get in through phishing, download some malware, then exploit the human aspect of social engineering to use those credentials. Essentially, the newness is just the context. The attack itself is the same one re-envisaged in the new world we live in, but naturally it has increased a lot, because we are more susceptible now.”
In regard to organizations protecting themselves effectively at this time, doubling down on already established best practices is critical, especially for those without the resources to invest in the most sophisticated cybersecurity software.
Emm added: “Many organizations are going to read about these threats and think, ‘oh my goodness, what can we do?’ Sometimes, it’s the basic things. Protecting all devices, including mobiles – updating them and backing up data. Just trying to give staff some basic information about not replying to unsolicited texts, using unique passwords and using a password manager helps.”
The Trusted Connectivity Alliance (TCA) – a global, non-profit industry association that brings together SIM ecosystem participants to work towards enabling a secure, connected future – has announced the election of Claus Dietze as chair. Dietze succeeds Remy Cricco who steps away from the TCA following a successful three-year tenure in the role.
The TCA has also announced the expansion of its board, increasing the number of available board seats from five to seven. The TCA board is responsible for defining the organization’s focus and strategic direction and will be made up of the following members for 2020/21:
- Chair: Claus Dietze – senior director global standardization, Giesecke+Devrient Mobile Security
- Jean-Philippe Betoin – director, strategic marketing IoT platform, Arm
- Benoît Collier – vice-president of mobile operator product line and MVNO IoT, IDEMIA
- Cyril Caillaud – head of eSIM, product management and marketing, NXP Semiconductors
- Michele Scarlatella – strategy technology and systems architecture, STMicroelectronics
- Stephane Quetglas – director of marketing for embedded products, Thales
- Bertrand Moussel – R&D director, smartcard & platforms, Valid
Commenting on his appointment, Dietze said: “I look forward to working with my board colleagues, wider membership and association partners in our shared goal to enable a secure, connected future.
“As we look towards the opportunities and challenges that lie ahead in an increasingly connected future, the ability of SIM technology to deliver trusted connectivity and dynamic security is extending its applicability across new sectors.”
Looking ahead at the next 12 months, the TCA board has identified the following activities as key roadmap priorities:
- Ensuring eSIM interoperability
- Expanding eSIM benefits to more IoT use-cases
- Leveraging SIM technology for IoT security, including continued collaboration with GSMA on IoT SAFE
- Addressing fragmentation across integrated SIM technologies
- Evolving and optimizing 5G SIM technology to enhance 5G network services and maximize investments, while promoting and protecting mobile subscriber privacy
Dietze concluded: “On behalf of the membership, I would also like to thank Remy Cricco for his valued contribution over the past three years. Under his leadership, our organization underwent a significant transformation which strongly positions it to support the future advancement of the SIM industry.”
Russia has been named as a “highly capable cyber-actor” by the UK government’s Intelligence and Security Committee.
Claiming that “the UK is one of Russia’s top Western intelligence targets,” particularly given the UK’s firm stance against recent Russian aggression and the UK-led international response to the 2018 Salisbury attack, the ISC warned that Russia’s intelligence services are disproportionately large and powerful and are able to act without constraint. This has allowed a fusion between state, business and serious and organized crime making Russia an all-encompassing security threat.
In terms of the cyber-threat, the ISC report stated that Russia employs organized crime groups to supplement its cyber-skills and carries out malicious cyber-activity in order to assert itself aggressively with democratic interference having “undertaken cyber pre-positioning on other countries’ Critical National Infrastructure.”
The report claimed: “Given the immediate threat this poses to our national security, we are concerned that there is no clear coordination of the numerous organizations across the UK intelligence community working on this issue; this is reinforced by an unnecessarily complicated wiring diagram of responsibilities amongst Ministers.”
The report acknowledged the work of former chair Dominic Grieve MP, and did welcome the government’s increasingly assertive approach when it comes to identifying the perpetrators of cyber-attacks. The ISC, chaired by Dr Julian Lewis MP, encouraged the UK to encourage other countries to adopt a similar approach to ‘naming and shaming’ cyber-adversaries.
The report also addressed the issues of democratic interference, saying “protecting it must be a ministerial priority, with the Office for Security and Counter-Terrorism taking the policy lead and the operational role sitting with MI5.” It also said while social media companies hold the key they are “failing to play their part,” so the government must establish a protocol with these companies to ensure that they take covert hostile state use of their platforms seriously, with agreed deadlines within which such material will be removed.
In particular, it accused the government of being slow to recognize the existence of the threat of democratic influence, stating it was only understood after the Democratic National Committee email breach. “As a result, the government did not take action to protect the UK’s process in 2016.”
Acknowledging an “obvious inherent tension between the government’s prosperity agenda and the need to protect national security,” particularly with political business interests with Russian organizations, the ISC said Russia “poses a tough intelligence challenge and our intelligence agencies must have the tools they need to tackle it.”
This should lead to new legislation to tackle foreign spies, with the Official Secrets Act declared “not fit for purpose."
“More broadly, we need a continuing international consensus against Russian aggressive action,” the ISC said. “Effective constraint of nefarious Russian activities in the future will rely on making sure that the price the Russians pay for such interference is sufficiently high: the West is strongest when it acts collectively, and the UK has shown it can lead the international response.
Ray walsh, digital privacy expert at ProPrivacy, said: “The Russia report finally published today by the UK government confirms what cybersecurity experts have been calling attention to for many years; that the Russian government and its state-employed hackers are engaging in active cyber-warfare against the West, which includes phishing attempts against government agencies, the deployment of covert exploits designed to steal top-secret information and activities designed to influence the democratic elections of other nations.
“The release of the Russia report – and its direct allegations against the Kremlin – indicate a shift by the UK government towards actively identifying and assigning blame to state-sponsored cyber-warfare performed by Russia, a move that reveals the urgency of the problem and the immediate threat it poses to the UK's national security.
“Now that the UK has attributed blame, it will be interesting to see how exactly the government proceeds and what it can do to prevent those activities and produce actual changes in light of the findings.”
Cath Goulding, CISO at Nominet, said: “One of the main recommendations of the report is to establish a central responsibility for a coordinated response to these threats, rather than a ‘hot potato’ approach with no one government body taking the lead. This is aligned with our recommendations for government security – which requires large-scale, national protective interventions, to bring their citizens, businesses and economies a more secure environment.
“This means that there needs to be a breadth of security across government, all the way down to the local level, which is consistent, cohesive and coordinated. This is critical to ensure a high level of security across all departments, with no weak spots for threat groups to exploit, and greater awareness of the threats facing the UK. Not only will this facilitate a stronger security posture, but also more opportunities for international collaboration to mitigate attacks against governments.”
This year could see a record breaking 20,000 vulnerabilities reported, with major increases in mobile bugs already in 2020, according to Skybox Security.
The security vendor’s midyear update to its 2020 Vulnerability and Threat Trends Report contains some concerning findings for organizations as they struggle to manage cyber-risk at a time of mass remote working.
With 9000 vulnerabilities reported in the first half of the year, the firm is predicting the final total for 2020 could top twice as much as that. The figure for new CVEs in 2019 was 17,304. Without risk-based automated patch management systems, organizations struggle to mitigate these issues, leaving them exposed to attacks.
Part of this increase is due to a surge in Android OS flaws: these increased 50% year-on-year, according to Skybox.
“This rise has come at the same time as home networks and personal devices increasingly intersect with corporate networks as a result of the move towards a mass, remote workforce,” the report claimed.
“These trends should focus the need for organizations to improve access controls and gain visibility of all ingress and egress points to their network infrastructure.”
The report also revealed an increase in new ransomware variants of 26% year-on-year in the first half of 2020, leading the way ahead of Trojans (23%), botnets (21%), backdoors (15%) and RATs (15%).
The firm claimed to have monitored 77 new ransomware campaigns in the first few months of the pandemic as cyber-criminals sought to take advantage of unpatched systems, distracted workers and overwhelmed IT teams.
“COVID-19 has completely reshaped the way that organizations and their employees work. With the majority of the workforce now working remotely, the network perimeter has significantly widened – securing this perimeter now needs to be a top strategic priority,” argued Ron Davidson, VP of R&D and CTO of Skybox Security.
“Organizations need to be able to identify the flaws that sit within both personal and professional devices. They also need to be able to model their expanded network so that they can understand all potential attack vectors.”
A major Argentinian ISP has become the latest organization to be hit by a serious ransomware attack, with cyber-criminals demanding millions in payment by today.
Telecom Argentina is thought to have been compromised last week. One insider posted the purported ransom note to Twitter, as well as what appears to be an online placeholder from the firm.
The firm’s official website is currently down and local reports suggested that employees started having trouble accessing internal VPNs and databases as early as last Wednesday.
As most employees are working from home, the incident appears to be causing major disruption to productivity at the firm with staff being told not to log-on to corporate resources.
Reports on social media suggest the REvil (Sodinokibi) group may be behind the attack. If the firm has not paid by the end of today, the attackers are threatening to double the ransom, to be paid in Monero.
The group is known to have targeted vulnerabilities in Citrix and Pulse Secure remote access systems in the past, although it’s not clear at this stage how they compromised Telecom Argentina.
REvil also often steals data belonging to victim organizations, with the now-common strategy of threatening to release sensitive details unless a ransom is paid. It even claimed to have obtained incriminating details on Donald Trump earlier this year after an attack on New York lawyers Grubman Shire Meiselas & Sack.
However, that doesn’t seem to be the case with Telecom Argentina.
Founded in 1990, the Buenos Aires-headquartered firm has over 16,000 employees and owns one of only three mobile phone operators in the country.
Mark Bagley, VP of product at AttackIQ, argued that this could be one of the most expensive ransomware attacks of the year.
To mitigate the risk of such attacks, organizations must focus on detecting lateral movement inside networks, combat credential stuffing and conduct regular testing, he added.
“A security program that included network segmentation, preventing the lateral movement of an adversary would have been decisive in mitigating this situation,” Bagley argued.
“Legacy approaches that focus on stopping an adversary at their initial attempts to access targets of interest will continue to fail. Companies must design their security programs to minimize the impact when an adversary successfully infiltrates their network.”