Info Security

Subscribe to Info Security  feed
Updated: 11 min 33 sec ago

APT Uses Spear Phishing in New Campaign

Thu, 08/30/2018 - 14:54
APT Uses Spear Phishing in New Campaign

An advanced persistent threat group, active since at least 2016 and suspected in exploiting multiple attacks around the globe, is reportedly targeting institutions in Europe and Russia, according to a report released today from NETSCOUT Arbor.

On 13 August NETSCOUT’s ASERT team identified new spear-phishing campaign activity from the financially motivated hacking group Cobalt. Given that the messages appear to be coming from a trusted source, many victims fall prey to these types of campaigns in which malicious actors disguise themselves as other financial institutions. 

The phishing messages used to gain entry look as if they come from a financial vendor or partner domains, increasing the likelihood of infection. In addition, the group reportedly uses tools that allow them to bypass Window’s defenses.

NS Bank in Russia and Banca Comerciala Carpatica of Romania were the two phishing targets found in which one of the phishing emails was weaponized with two malicious URLs.

The first contained a malicious Word document that obfuscated VBA scripts, which researchers said differed from the known CVEs that had been used in parallel to this campaign.

The second weapon was a binary with a JEPG extension. Researchers analyzed the binaries and found that they contained “two unique C2 servers we believe are owned and operated by the Cobalt hacking Group.”

These two malware samples suggest that the campaigns are connected to Cobalt Group. Analysis showed that a JavaScript backdoor, believed to be a stager for additional payloads, contained functionality that is similar to another version of a similar backdoor.

“This Cobalt Group actor(s) mimic financial entities or their vendors/partners in order to gain a foothold in the target’s network. Making use of separate infection points in one email with two separate C2s makes this email peculiar,” researchers wrote.

“One could speculate that this would increase the infection odds. The actor tries to hide the infection by using regsvr32.exe and cmstp.exe, which are both known for by-passing AppLocker (configuration dependent)," they continued.

"ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.”

Categories: Cyber Risk News

Hundreds of Banks Exposed from Fiserv Flaw

Thu, 08/30/2018 - 14:46
Hundreds of Banks Exposed from Fiserv Flaw

A flaw in the web platform of Fiserv Inc., a technology services provider for financial institutions, reportedly exposed personal and financial account information on hundreds of bank websites, according to KrebsonSecurity.

Security researcher Kristian Erik Hermansen contacted Krebs two weeks ago to report that “he’d discovered something curious while logged in to an account at a tiny local bank that uses Fiserv’s platform.” Shortly thereafter, KrebsonSecurity contacted Fiserv, which explained that there had been an issue in “a messaging solution available to a subset of online banking clients.”

While Fiserv declined to say exactly how many financial institutions may have been impacted overall, there are reportedly 1,700 banks currently using Fiserv’s banking platform.

“Fiserv places a high priority on security, and we have responded accordingly,” a Fiserv spokesperson told Krebs.

“After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

Fiserv is a critical financial services vendors for banks around the globe. “A breach or data leak such as this could have a huge impact on not only the financial system in the US but globally as well,” said Jake Olcott, VP of strategic partnerships at BitSight Technologies.

“Hundreds of banks that leverage its solutions were impacted by this breach, demonstrating firsthand the imperative need for financial services companies to keep a close eye on the third-party vendors that have access to their data and customer information," Olcott continued. 

“At a higher level, financial services companies need to make sure they are having continuous, data-driven conversations with their vendors about security efforts and procedures. Fostering a more collaborative approach to security can unite businesses and their vendors in the war against an increasingly volatile threat landscape and help safeguard all parties from leaks and breaches."

Categories: Cyber Risk News

Hearing Date Set in Georgia Election Security Case

Thu, 08/30/2018 - 14:40
Hearing Date Set in Georgia Election Security Case

A hearing has been filed in the ongoing Georgia election cybersecurity case, Curling v. Kemp, where Georgia citizens are fighting for more secure elections in a lawsuit against Secretary of State and gubernatorial candidate Brian Kemp. The hearing is scheduled for Monday, 17 September, at 11am.

Oral arguments will take place at the US District Court in Atlanta before Judge Amy Totenberg, and David Cross, a partner at the law firm Morrison & Foerster, will represent the group of Georgia citizens who are the case’s plaintiffs.

Currently, Georgia’s voting system uses direct-recording electronic (DRE) voting machines and is one of only several states to have no independent paper trail, which leaves the electronic voting system vulnerable to election interference.

On behalf of the plaintiffs, Cross filed a brief in US federal court supporting their request for Georgia to switch to paper ballots for the November election. As part of the order filed, the Court denied the state’s motion to dismiss as to standing and immunity.

“Plaintiffs’ requested relief places all voters on an equal playing field and protects all voters against interference,” the brief said. “Defendants have provided no basis for this Court to find that the requested relief is so much more burdensome than the costly, complex, unsecure DRE-based system to warrant subjecting voters to that unreliable system.”

The plaintiffs added, “Defendants provide no basis for this Court to deny the Curling Plaintiffs’ Motion. They substitute conjecture for facts and legal authority and implicitly concede the inherent unreliability of the current DRE-based system. But they refuse to do anything about it this year. This violates the U.S. Constitution and Georgia state law and necessitates injunctive relief.”

Additionally, the plaintiffs “fully appreciate the gravity of their request” but said that “a preliminary injunction from this Court is the only way to protect their right to vote against manipulation or dilution this year.”

After the oral arguments are heard, Judge Totenberg will decide whether Georgia will have to switch to using paper ballots for the upcoming November general election, though there is no timeline yet for when a decision will follow.

Categories: Cyber Risk News

Machine Identity Failings Expose Firms

Thu, 08/30/2018 - 10:08
Machine Identity Failings Expose Firms

Nearly all IT decision makers believe that protecting machine identities is as important or more important that human identity management, but most struggle to deliver that protection, according to a new Forrester study.

The analyst firm was commissioned by Venafi to poll 350 global IT leaders about the challenges facing them from securing machine identities, which 80% said they are having difficulties with.

In this context, “machine” could mean any kind of digital entity on a network, according to Venafi vice-president of security strategy and threat intelligence, Kevin Bocek.

“This means that everything including websites software, applications, devices, even algorithms, are machines,” he told Infosecurity. “And every single one of them needs an identity in order to communicate with other machines securely.”

Unfortunately, while IAM in the context of human identities is maturing, this failure to protect digital entities represents a coming security storm.

Nearly half (47%) of respondents said protecting machine identities and human identities will be equally important to their organizations over the next 12-24 months, while 43% claimed machine identity protection will be more important.

The vast majority (70%) admitted they are tracking fewer than half of the most common types of machine identities found on their networks, including cloud instances (56%), mobile devices (49%), SSH keys (29%) and containers and microservices (25%).

This could expose them to the risk of customer and corporate data theft, process disruption, downtime and customer attrition, the report claimed.

Bocek explained that machine identity attacks typically follow one of three methods.

“In the first, hackers steal machine identities for spoofing purposes, using them to establish themselves as trusted inside a network or to move around without being detected. Last year, for example, saw over 14,000 fake PayPal sites set up by scammers abusing machine identity to help them trick unsuspecting web users,” he said.

“The second scenario sees the misuse of machine identity to cause havoc across the victim’s entire network — a classic example of this would be the 2015 Ukrainian power grid attack when Russia managed to insert a valid SSH key into the grid and used it to shut down power across the country. Lastly, stolen machine identities are also used by hackers who want either to infiltrate an organization without being noticed and exfiltrate large amounts of data, hit targets with malware such as SQL injection attacks or cross-scripting attacks or to escalate privileges.”

Mitigating machine identity attacks requires IT teams to gain visibility into the location of every digital entity on the network and ensure their keys and certificates are valid and up-to-date.

“Organizations need to automate the process of securing machine identities, since in today’s environment, they’re being created and used on a scale that only other machines can keep up with,” Bocek added. “For any mid- to large-size organization, centralizing and automating the discovery, replacement and remediation of all machine identities on a network is the only realistic defense.”

Categories: Cyber Risk News

Chinese Hotel Breach May Have Hit 100 Million+ Customers

Thu, 08/30/2018 - 09:37
Chinese Hotel Breach May Have Hit 100 Million+ Customers

Chinese police are investigating a possible breach at a major hotel group which could have affected over 100 million customers.

Shanghai's Changning District police confirmed on Tuesday it was called out by Huazhu Group which operates more than 3000 hotels in hundreds of cities, running 18 brands domestically including foreign chains Mercure and Ibis hotels.

The incident came to light after a dark web vendor put data allegedly stolen from the group up for sale for eight Bitcoins ($55,600).

State media claimed that 500 million records were stolen. These reportedly included 123 million registration details including names, mobile numbers and ID numbers; 130 million check-in records including names, addresses and birth dates and 240 million hotel stay records including card and mobile numbers.

Cybersecurity intelligence firm Zibao reportedly suggested the breach may have happened when the hotel’s developers uploaded a database to GitHub.

Andy Norton, director of threat intelligence at Lastline, speculated that the hackers in this case may not be experienced.

"It looks like human error is to blame for this breach. It also looks like the threat actors selling the data don't have the contacts or infrastructure to monetize the stolen IDs individually,” he explained. “It could be that speculative Google dorking resulted in a script kiddie holding this data and trying to sell it.”

Tim Mackey, technical evangelist at Synopsys, added that if the GitHub rumors are true the hack appears to be in the same opportunistic mold as last year's Uber breach.

“Development teams using public source code systems like GitHub and public continuous integration (CI) systems like Travis-CI need to recognize that any developer activity which causes a push to a public repository or a public branch can be viewed by others,” he said.

“The increasing popularity of hosted development tools like GitHub, Jira and Travis-CI make them ideal sources of information for malicious actors.”

If there are any EU citizens' data amongst the trove it will also be interesting to see how China reacts to a possible GDPR investigation.

Categories: Cyber Risk News

Air Canada Presses Reset After App Security Snafu

Thu, 08/30/2018 - 09:05
Air Canada Presses Reset After App Security Snafu

Air Canada has forced a password reset for its mobile app users after spotting unauthorized access attempts which may have compromised personal data on as many as 20,000 customers.

The airline claimed to have discovered “unusual login behavior” between August 22-24.

“We immediately took action to block these attempts and implemented additional protocols to block further repeated unauthorized attempts,” it added. “As an additional security precaution, we have locked all Air Canada mobile app accounts to protect our customers’ data.”

The firm began notifying the affected users, which represent 1% of its total global app user profiles, on Wednesday and claimed it was confident the incident hasn’t affected others.

If attackers have managed to compromise accounts, they will be able to access profile data including name, email address and telephone number. However, Air Canada explained that some customers may also have added more sensitive details including Aeroplan number, passport number, NEXUS number, known traveler number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence. 

All credit card information is encrypted in accordance with PCI DSS requirements, but the airline also urged customers to review their financial transactions regularly.

“We are also requiring all Air Canada mobile App users to re-set their passwords using improved password guidelines to further enhance security measures,” it added. “A more robust password provides an extra layer of protection.”

It’s unclear if users will be forced to create strong passwords or if the guidelines are voluntary.

Security experts questioned why the airline still relies on password-based authentication for customers when multi-factor authentication (MFA) represents industry best practice.

“It’s 2018. Why hasn’t the airline already mandated stronger passwords? Secondly, for personal information as important as possibly passport data, why hasn’t the airline mandated or at least offered multi-factor authentication for its users?” asked One Identity senior director, Bill Evans.

“These are relatively simple measures that could and should have been deployed prior to the challenges of the past two weeks.”

Bill Conner, CEO of SonicWall, added that some of the potentially stolen details will fetch a high price on the dark web as they cannot be easily changed.

“As threats continue to loom and intensify, total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as employee education and the securing IoT devices to prevent tampering and unauthorized access,” he concluded.

It's yet to be confirmed whether the incident came as a result of a breach of Air Canada’s systems or if hackers cracked users’ account by using previously breached data, although the relatively small number of accounts affected would suggest the latter.

Categories: Cyber Risk News

Stamping Out Art Forgery with Cryptocurrency

Wed, 08/29/2018 - 15:09
Stamping Out Art Forgery with Cryptocurrency

The marriage of art and technology has the potential to stamp out art forgery, making it a thing of the past by using blockchain technology, according to Thomas Crown Art. The art-tech agency, established by art dealer Stephen Howes and technology expert Ian McLeod, has created smART (Smart Art).

In an effort to eradicate counterfeit and provenance fraud, the company has created what it calls an innovative solution for artists and art collectors. The art itself has incorporated into it the underlying infrastructure on which cryptocurrencies like Bitcoin and Ethereum are based. According to its website, smART uses a system that transforms a physical work of art into a form of Blockchain Wallet, which contains an incorruptible, immutable and publicly verifiable certificate of provenance.

“Forgeries are, unfortunately, a growing and serious problem in the art world,” Howes said. “The fraudsters, who are getting better and better at producing both fake artwork and provenance documentation, have been wreaking havoc throughout the market in the last couple of years.”

Art crime has long been a lucrative business. Howe and McLeod see using blockchain and decentralization ledger technology at the point the artwork is created as a viable solution to both art and provenance forgery.

The company is providing what McLeod said is “the ability to use new works of art as a literal ‘store of value’ and serve as a cryptocurrency wallet for owners whilst providing an independent method to conclusively prove the provenance of artwork quickly and easily and to view an immutable chain of ownership."

“Using a blockchain to authenticate artwork is an ideal use-case for distributed ledger technology," he continued. "It provides the ability to store a permanent, immutable record of artwork at the point of creation which can be used to authenticate registered works by anyone with an internet connection.”

All Thomas Crown Art artwork and prints are recorded onto the blockchain with their own unique smart contract so that the owner of the artwork is able to control the ownership of the piece using the work's QR code and the artwork certificate.

“Using this cutting-edge technology, the art world can eradicate one of its biggest and most expensive problems – forgery – and can protect artists, galleries and private owners and collectors,” McLeod said.

Categories: Cyber Risk News

Cryptocurrency Platform Suffers Data Breach

Wed, 08/29/2018 - 15:03
Cryptocurrency Platform Suffers Data Breach

Using its Facebook page to connect with global customers, Atlas Quantum, a cryptocurrency investment platform, announced a security incident that exposed the personal details of about 261,000 users, according to Have I Been Pwned.  

The company said that it learned of a security incident on Saturday, 25 August, and that it is both investigating the incident and working with the proper authorities, though the disclosure provided little details about the event.

“We would like to point out that this is not a steal of bitcoins in custody or violation of our accounts in the exchanges. However, our customer base was exposed. At the time of the incident, we took immediate steps to protect the database and passwords and private keys remain encrypted,” Atlas Quantum wrote.

The compromised information includes names, phone numbers, email addresses and account balances of Atlas Quantum users. “The Atlas Quantum data breach suggests that crypto services remain a high-profile target for hackers. Even those who do not actively use the platform to store or invest in crypto may have had their personal data exposed,” said Anurag Kahol, CTO, Bitglass.

“For companies like Atlas that store mass amounts of user data, reputation and user data security are closely tied. Quickly identifying the cause of this breach and mitigating the threat of further data loss is a critical next step for Atlas and prevention should be top of mind for all companies that store high-value data."

Hackers don’t discriminate when it comes to attack vectors, and financially motivated criminals will target cryptocurrency platforms looking for sizable payouts.

“It is important that organizations have the right tools in place to know where vulnerabilities exist and what they can do to prevent their customers’ data from being compromised. Cryptocurrency platforms need to be taking precautions, as the number of incidents like this seems to be increasing,” Jonathan Bensen, director of product management and acting CISO, Balbix.

Categories: Cyber Risk News

Website of Rapper Cardi B Littered with Spam

Wed, 08/29/2018 - 14:52
Website of Rapper Cardi B Littered with Spam

The American rapper known as Cardi B has been tweeting lots of apologies of late, but it might be time for her web development team to recognize some of their own mistakes in light of news reports that spammers targeted her website.

Users hoping to see images of Cardi B when perusing the photos section of her website were instead met with spammed images as nefarious actors loaded random pictures that depicted not Cardi B but soccer games and other unrelated images.

Credit: Malwarebytes

According to Malwarebytes, the singer’s website was littered with “a peculiar blast of messed up spam text all over the page.” Add to the text spams the array of click throughs to fraudulent videos that were clogging up her website’s homepage, which led to fake movie streams and a soccer match involving Stoke City and Wigan Athletic.

“While the rogue pages in question seem to have been taken down, simply searching for the Cardi B website in Google reveals the damage done to the site’s search results. Spammy results...can take a long time to filter out of search engines, and it isn’t great to have things like that sitting at the top of the searches alongside legitimate results.”

Credit: Malwarebytes

The site allowed people to sign up as registered users and post comments, a feature that eventually attracted spammers who used this to send and insert spam all over the site, Malwarebytes said.

Since the news broke on Twitter, site administrators have been actively engaged in clean up. Existing users are still able to access the login page, but new sign-ups have been disabled.

“Social features for users of your site are great, but those services need to be balanced with tight moderation and a limit on where said features can take you—even if it is Stoke City versus Wigan Athletic,” said Malwarebytes.

Categories: Cyber Risk News

Instagram Bids to Boost Transparency and 2FA

Wed, 08/29/2018 - 10:41
Instagram Bids to Boost Transparency and 2FA

Instagram has announced some new features designed to make accounts more transparent, harder to hijack and easier for brands and celebs to get verified.

The security and transparency features can be seen as a response in part to increased activity by Russian state actors looking to influence public opinion on social media ahead of elections.

In fact, Facebook was forced to remove seven Instagram accounts and multiple Facebook Pages and profiles a month ago after spotting “coordinated inauthentic behaviour” mirroring the kind of activity seen in the run up to the 2016 presidential election.

To that end, Instagram will be launching an 'About This Account' tool designed to make available more information on accounts with large numbers of followers — although it's unclear on how popular an account has to be to qualify.

By tapping the account profile users will be able to see the date the account joined Instagram, the country where it’s located, accounts with shared followers, username changes in the last year and crucially any ads the account is running.

“Our community has told us that it’s important to them to have a deeper understanding of accounts that reach many people on Instagram, particularly when those accounts are sharing information related to current events, political or social causes, for example,” explained Instagram CTO, Mike Krieger. “If you do see an account on Instagram you believe violates our Community Guidelines, you can report it.”

User authentication is another key area for any popular web company and Instagram is tightening up its log-in security by announcing support for third-party authenticator apps which will roll out globally over the coming weeks.

This should help mitigate increasingly popular attacks designed to intercept 2FA passcodes sent by text. That technique was used to hijack Reddit employees’ cloud accounts in June, leading to a major breach at the web platform.

“To use a third-party app to log into your Instagram account, go to your profile, tap the menu icon, select ‘Settings’ at the bottom and then choose ‘Two-Factor Authentication.’ Select ‘Authentication App’ as your preferred form of authentication,” said Krieger.

“If you already have an authentication app installed, we will automatically find the app and send a login code to it. Go to the app, retrieve the code and enter it on Instagram, and two-factor authentication will turn on automatically. If you don’t have one installed yet, we will send you to the App Store or Google Play Store to download the authenticator app of your choice. Once you’ve installed it, return to Instagram to continue setting up your two-factor authentication.”

Finally, businesses and celebs will be able to apply for a Verified badge more easily thanks to changes on the network which will enable them to do so from Profile and then Settings.

Categories: Cyber Risk News

Over 50% of Top Global Sites Now on HTTPS

Wed, 08/29/2018 - 10:01
Over 50% of Top Global Sites Now on HTTPS

Half of the top one million sites in the world are now using HTTPS, in a boost for global web security, according to a leading researcher.

Scott Helme revealed that growth had slowed at the start of the year, but picked up again in recent months so that 51.8% of Alexa Top 1 Million sites were redirecting to the secure protocol as of August.

“Looking at the history we've made serious progress in the last couple of years and again we're continuing to see maintained growth which is exactly what we need,” he said. “The web is now well on its way to being 100% encrypted and long may it continue.”

Part of this growth is thanks to Let’s Encrypt, a free, automated certificate authority which claimed a fortnight ago that it added six million HTTPS domains in just five days and now services 124 million.

Another factor is that in July Chrome started warning visitors when they encounter non-HTTPS sites, a move which will certainly see more webmasters get proactive with adoption. Helme himself and fellow security researcher Troy Hunt have also been raising publicity via their site.

Elsewhere, Helme observed a fall in the use of public key pinning (PKP) following Google’s decision to deprecate the security mechanism. Although it was originally intended to help prevent Man in the Middle attacks, researchers have over recent years claimed that attackers could actually manipulate PKP to their own ends, for example by installing malicious pins.

Helme welcomed the increase in use of some security headers: specifically a 40% increase in CSP and a 23% increase in HSTS.

“Whilst we did see a slight reduction in the use of CSPRO, we saw a considerably larger increase in the use of CSP,” he explained. "My guess on what's most likely happening is that sites are moving from a report only version of a policy to an enforced version, which shows progress in deployments of CSP.”

However, it wasn’t all good news: Extended Validation (EV) certificate use doesn’t seem to have seen much growth, despite the growing popularity of HTTPS.

Categories: Cyber Risk News

Cryptomining Malware Soars 956% in a Year

Wed, 08/29/2018 - 09:14
Cryptomining Malware Soars 956% in a Year

Crypto-mining malware detections jumped 96% in the first half of 2018 versus the whole of last year as cyber-criminals increasingly looked to more covert ways of making money, according to Trend Micro.

The security vendor claimed in its latest Midyear Security Roundup that it blocked over 20 billion threats in the first six months of this year.

However, fewer of these are standard “spray and pay” ransomware attacks and breaches, it claimed. In fact, 1H 2018 is the first time since the advent of ransomware in 2005 that there has been a decrease in new families discovered.

Instead, attackers are looking to crypto-jacking along with fileless, macro and small file malware techniques to fly under the radar.

There was a 956% increase in cryptocurrency malware detections versus 1H 2017, and a 250% increase in detections of small file malware, TinyPOS, compared to 2H 2017.

The findings chime with other research into the threat landscape. Check Point, for example, warned last month that the number of global organizations affected by cryptojacking rose from just under 21% in the second half of 2017 to 42% in 1H 2018, with cyber-criminals making an estimated $2.5bn over the past six months.

“The recent change in the threat landscape mirrors what we’ve seen for years — cyber-criminals will constantly shift their tools, tactics and procedures (TTPs) to improve their infection rates,” said Bharat Mistry, principal security strategist for Trend Micro.

“This means once again, business leaders must evaluate their defenses to ensure sufficient protection is in place to stop the latest and most pressing threats.”

On the plus side, data breach reporting remained pretty consistent during the period despite the advent of the GDPR, but the number of SCADA vulnerabilities reported by Trend Micro’s Zero Day Initiative doubled from 1H 2017.

The firm warned operators of Human Machine Interface (HMI) systems to be on the lookout for bugs as threat actors ramp up attacks from mere reconnaissance and testing to destructive raids.

In total, the ZDI published over 600 advisories in the first six months of 2018.

Categories: Cyber Risk News

A DDoS Knocked Spain's Central Bank Offline

Tue, 08/28/2018 - 17:17
A DDoS Knocked Spain's Central Bank Offline

In a distributed-denial-of-service (DDoS) attack that began on Sunday, 26 August, and extended into today, Spain's central bank was knocked offline. While Banco de Espana struggled to fight off the attack, business operations were not disrupted, according to Reuters.

"We suffered a denial-of-service attack that intermittently affected access to our website, but it had no effect on the normal functioning of the entity," a spokeswoman for Banco de Espana wrote in an email.

DDoS attacks interrupt services by overwhelming network resources. Spain’s central bank is a noncommercial bank, which means that it does not offer banking services online or on site, and communications with the European Central Bank were not impacted.

“Worryingly, as of Tuesday afternoon their website remained offline despite the attack having started on Sunday. Whether this was as a result of an ongoing attack, recovering from any resulting damage or as a precaution pending a forensic investigation is not clear,” said Andrew Lloyd, president, Corero Network Security.

“The recent guidance from the Bank of England (BoE) requires banks to have the cyber-resilience to 'resist and recover' with a heavy emphasis on 'resist.' The BoE guidance is a modern take on the old adage that 'prevention is better than cure.'  Whatever protection the Bank of Spain had in place to resist a DDoS attack has clearly proven to be insufficient to prevent this outage."

To help mitigate the risk of a DDoS attack, banks and other financial institutions can invest in real-time protection that can detect attacks before they compromise systems and impact customer service. 

As of the time of writing this, the bank's website appears to be back online.

Categories: Cyber Risk News

Two CERT Alerts with No Known Solution

Tue, 08/28/2018 - 16:39
Two CERT Alerts with No Known Solution

Six days after researchers discovered and publicly disclosed a vulnerability that affects the Ghostscript suite of software, a CERT alert was issued for a vulnerability found in the Microsoft windows task scheduler that allows hackers to gain elevated system privileges.

The latest Microsoft Windows task scheduler contains a local privilege escalation vulnerability. “With the latest Windows OS vulnerability made public, IT professionals need to be extra vigilant regarding their network users’ behaviors,” said Justin Jett, director of audit and compliance for Plixer.

“The PoC released by researcher, SandboxEscaper, on Twitter gives malicious actors leverage needed to break into organizations to steal valuable information. Network traffic analytics should continue to be used to detect anomalous traffic going across the network and to spot where users are behaving in a way that they historically don’t," Jett continued.

“We’ll have to wait for Microsoft to respond, but if nothing is released until the scheduled September 11 Patch Tuesday, hackers will have a two-week window to take advantage of this vulnerability.”

In a second Ghostscript vulnerability, disclosed by the eSentire Threat Intelligence team, implementing the –dSAFER sandbox, which is intended to validate content, can circumvent the sandbox to allow malicious content through. By sending a malformed file (PDF, PostScript, XPF or EPS), a malicious actor is able to carry out the attack so that when the file reaches the Ghostscript interpreter, it infects the host machine by automatically executing.

“If exploited the vulnerability could allow a remote, unauthenticated threat actor to run commands, create files and delete or extract data. The exploitation of this vulnerability has not been seen in the wild at this time, but proof of concept code has been released. It is likely that more widespread exploitation attempts will be seen in the near future,” researchers wrote in a post today.

A patch has not yet been released; however, researchers wrote, “a potential short term fix for this vulnerability is to disable PS, EPS, PDF, and XPS coders. This is not recommended due to the high potential for business disruption. Due to the wide range of programs that rely on Ghostscript this vulnerability should be taken seriously and patches should be applied as soon as vendors make them available.”

Some of the several systems known to be infected include Artifex Software Inc., CentOS, LinkUs, Ubuntu, SUSE Linux, and Red Hat Inc. There is potential that Apple, Arch Linux, Arista Networks Inc. and ASP Linux are also affected. eSentire advised that patches should be applied as quickly as possible once the patches are released.

Categories: Cyber Risk News

NIS Directive Met, Polish Cybersecurity in Effect

Tue, 08/28/2018 - 15:09
NIS Directive Met, Polish Cybersecurity in Effect

Poland's National Cybersecurity System Act, which aims to ensure an appropriate level of security of ICT systems, today enters into full effect. Originally adopted on 5 July 2018 by the Sejm, the lower house of the Parliament of Poland, the system covers a wide range of entities from operators of essential services to digital service providers and a cybersecurity council.

Along with its executive regulations, the act will fully implement the EU NIS Directive into Poland's legal order and create a single point of contact for cybersecurity matters.

Earlier this month, Poland was one of 17 countries to receive a warning from the European Commission for missing the 9 May 2018 deadline “to adopt an EU Directive that is designed to ensure the security of digital networks and information systems across the EU,” according to CISO Mag.

Concerns over the security of critical infrastructure have continued to grow as “the number of reported vulnerabilities related to supervisory control and data acquisition (SCADA) systems increased since the second half of 2017, and many of these vulnerabilities were found in human-machine interface (HMI) software,” according to a post from Trend Micro today.

The act distinguishes three different computer security incident response teams (CSIRTs). The teams will each be responsible for handling incident response in three particular realms of Poland’s cyberspace. CSIRT GOV will respond to governmental and subordinate unit infrastructures, including the NBP and BGK banks.

The CSIRT NASK team will be responsible for handling citizen and company incidents, including self-governmental organizations and state universities.

Finally, the CSIRT MON will handle the computer security incident response for entities supervised by the Ministry of Defense, which will include companies with economic and military significance.

In categorizing the responses, the teams will identify incidents as either critical, serious or significant.

Categories: Cyber Risk News

ICO Breach Complaints Jump 160% in a Year

Tue, 08/28/2018 - 10:45
ICO Breach Complaints Jump 160% in a Year

There has been a huge annual rise in data breach complaints to the Information Commissioner’s Office (ICO) following the start of the General Data Protection Regulation (GDPR) regime, according to a leading law firm.

An FOI request issued by London-headquartered EMW revealed that the watchdog received 6281 complaints between May 25 and July 3 this year: a 160% increase on the same period in 2017.

It’s believed that the increased publicity and extra powers it gives to consumers on managing and accessing details about their personal data could have driven the rise.

To cope with the extra burden, the ICO itself is on a recruiting drive and hopes to increase the number of full-time staff from the current 530 up to 720, the report also revealed.

Its annual funding of £24m will also shoot up to £38m in 2018-19.

Mark Adams, regional vice-president of UK & Ireland at Veeam, claimed the figures should be a wake-up call for UK businesses.

“If this significant rise of GDPR-fuelled complaints tells us anything, it’s that how businesses handle data is now fully immersed within the public consciousness,” he added. “Businesses must therefore now become far more proactive in managing that data, because the cost of failure exceeds the now infamously heavy penalties. It could also cause a long tail of damage for a company’s brand and reputation.”

Adams recommended firms deliver company-wide training for employees on data handling and how to spot phishing attacks, to improve awareness, alongside intelligent data management tools and effective incident response processes.

Over the past few months alone there have been a spate of reported data breach incidents in the UK including Superdrug, Ticketmaster and Dixons Carphone.

The latter could be in trouble with the ICO after grossly underestimating the size of the breach, which is now said to affect as many as 10 million customers.

Categories: Cyber Risk News

BEC Detections Soar 80%

Tue, 08/28/2018 - 10:10
BEC Detections Soar 80%

The volume of Business Email Compromise (BEC) attacks caught by a leading security provider jumped by 80% over the past quarter.

Mimecast’s latest Email Security Risk Assessment (ESRA) report revealed the provider blocked over 41,000 impersonation attempts over the latest three-month period which were missed by other vendors. This could indicate its detection is getting better, rival vendors are getting worse and/or BEC attacks are becoming more popular.

Business Email Compromise occurs when typically members of the finance team are socially engineered into making massive fund transfers from the corporate bank account to third parties. Attackers do this either by spoofing the email of the CEO or CFO, or even by phishing and hacking their email account first.

There was a 136% increase in BEC losses between December 2016 and May 2018, with over $12.5bn lost globally between October 2013 and May 2018, according to the FBI.

Mimecast’s ESRA also revealed that the vendor caught over 19 million pieces of spam, 200,000 malicious links, 13,176 emails containing dangerous file types and 15,656 malware attachments.

“Targeted malware, heavily socially-engineered impersonation attacks, and phishing threats are still reaching employee inboxes. This leaves organizations at risk of a data breach and financial loss,” said Matthew Gardiner, cybersecurity strategist at Mimecast.

The findings highlight email as the enduring threat vector of choice for cyber-attackers.

Trend Micro’s annual round-up report, The Paradox of Cyberthreats, revealed that of the 66.4 billion threats blocked by the security vendor in 2017, over 85% were in emails containing malicious content.

It also recorded a doubling of BEC attack volumes in the second half of 2017 versus the first half of the year.

Categories: Cyber Risk News

Unprotected MongoDB Account Exposes 200K Files

Tue, 08/28/2018 - 09:10
Unprotected MongoDB Account Exposes 200K Files

A security researcher has discovered yet another misconfigured MongoDB installation online, this time exposing over 200,000 highly sensitive corporate documents.

The 142GB MongoDB account was hosted on Amazon Web Services (AWS) infrastructure in the US and belonged to global document recognition and content capture software developer ABBYY, according to former Kromtech man Bob Diachenko.

Unfortunately, the account was left totally unprotected, with no password or log-in, meaning anyone with internet access could theoretically have gained entry.

“The biggest concern was the fact MongoDB in question also contained a large chunk of scanned documents (more than 200,000 contracts, NDAs, memos, letters and other internal documentation, properly OCR'd and stored) which apparently were stored by ABBYY partners using their administration console,” he explained.

The firm’s head of information security replied to Diachenko’s email requesting more info.

“Database access has been disabled soon after I sent him the IP address (two days after my initial notification), but questions still remain as of how long it has been left without password/login, who else got access to it and would they notify their customers on the incident,” he added.

A statement sent to the researcher following the incident claimed the “temporary data breach” affected just one of the developer’s customers, and that a “full corrective security review of our infrastructure, processes and procedures” has been undertaken.

ABBYY lists major global companies and governments among its customer base, including Deloitte, McDonald’s, Volkswagen and the Reserve Bank of Australia.

The firm is fortunate Diachenko found the trove of documents rather than online attackers who last year twice ran major campaigns in which data was stolen from exposed servers before being ransomed. It’s believed tens of thousands of victims were involved.

Categories: Cyber Risk News

SMB Employees Fail to Take Cyber Threats Seriously

Mon, 08/27/2018 - 16:11
SMB Employees Fail to Take Cyber Threats Seriously

Unfortunately for small-to-medium-sized businesses (SMBs), many employees remain ignorant to the reality of cyber threats, making decisions that continue to put the company at risk, according to a new study from Switchfast Technologies.

The study found that one in three business owners do not have safeguards in place to combat cyber breaches and 60% of small businesses that suffer a breach go out of business within six months. With legislation like the National Institute of Standards and Technol Small Business Cybersecurity Act being put in place, it’s clear that cybersecurity has become a weakness for SMBs. 

In large part, employees remain unaware of the cybersecurity threats they face both in and out of the office, in part because the businesses themselves are not taking cybersecurity seriously. The study found that 35% of employees haven’t changed their work email password in the last year. Risks to business from weak password policy is compounded by the number of employees (19%) who share their passwords with colleagues. The same number of employees reported that they use personally identifiable numbers (birthday, anniversary, Social Security numbers) in their work email password.

In addition, 26% do not know what the dark web is, which means that they are also unaware that their personal data may be on it. All the while, few organizations are reportedly providing cybersecurity guidance to their employees. Nearly 21% of those surveyed said their company has never provided cybersecurity training and 65% said their company has never run a phishing email test.

“Today’s cybercriminals employ a variety of complex attack methods to exploit business weaknesses and target employees with bad cyber hygiene, whether it’s the CEO or an intern, bypassing the basic security measures most companies have in place,” according to the report.

“Until they recognize they are prime targets for hackers and adjust their security strategies, small businesses will continue to fall victim to rampant cyberattacks.”

Categories: Cyber Risk News

Risks and Rewards of Google's Improving Security

Mon, 08/27/2018 - 15:38
Risks and Rewards of Google's Improving Security

Nation-state threats continue to pose risks to national security. In an effort to mitigate those attacks, Google continues to improve its security tools to better detect and respond to state-sponsored threats, particularly with regard to protecting political campaigns and local, state and national elections.

In “An Update of State-Sponsored Activity” published 23 August, Kent Walker, SVP of Google’s global affairs, wrote that its threat analysis group has been working with its partners at Jigsaw and the Google Trust & Safety team to identify bad actors, disable their accounts, warn users and share intelligence – both with other companies and law enforcement officials.

Three specific areas of work that Google has focused on include “state-sponsored phishing attacks, technical attribution of a recently reported influence campaign from Iran and detection and termination of activity on Google properties.” To that end, Gmail users recently received a notification from Google alerting them to take immediate action against government-back attackers who may have been attempting to steal passwords.

“Google’s efforts to track and terminate deceptive campaigns of influence run by inauthentic nation-state actors is a step in the right direction. Deception is one of the most effective and pernicious cyber-threats facing Americans and democracy today,” said Rick Moy, chief marketing officer at Acalvio.

“This coordinated action with other security organizations should be welcomed. While some may characterize this as censorship, the evidence presented in the reports is transparent and open to vetting and analysis by the broader community.”  

Yet not all experts in the security industry welcome these types of coordinated efforts.“Everyone appreciates any action taken to prevent any interference with the US political process. However, we must be careful that private actions done outside of the appropriate legal framework doesn't result in exactly the opposite results that those actions were trying to protect against,” said Joseph Kucic, chief security officer at Cavirin.

“There should be a governmental process implemented, similar to a FISA court, where appropriate oversight is in place prior to private companies taking actions against perceived bad actors (individuals and/or companies).”

Categories: Cyber Risk News