Complying with General Data Privacy Regulations (GDPR), video-sharing platform Dailymotion disclosed to France's Commission Nationale de l'Informatique et des Libertés (CNIL) on Friday that it suffered a credential-stuffing attack.
“The attack consists in 'guessing' the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion,” the disclosure said.
According to the disclosure, the attack was detected by the company's technical team and as of the January 25 announcement was still ongoing. Infosecurity contacted Dailymotion, and a company spokesperson said, “We consider that the attack has now stopped. We are not making further comment or discussing specific details, for obvious reasons.”
Given the rise of information-stealing malware, passwords and personally identifiable information are almost guaranteed to be exposed in increasingly sophisticated and frequent data breaches, according to Scott Clements, CEO, OneSpan.
“It’s more important than ever to secure and protect the entire digital customer journey, and the data captured within, by taking a layered approach to security. This helps capture and analyze multiple complementary authentication factors and correlational data to establish trusted identities, devices and transactions. This is how we help our global banking customers – by making it harder for cyber-criminals to capture data and commit fraud.”
Still, many consumers have yet to start using multi-factor authentication (MFA) to log into websites. Instead, they are more often than not reusing a few static passwords across multiple websites, said Michael Magrath, director, global regulations and standards, OneSpan.
“Given the vast number of password-related breaches over the past few years, the convenient yet insecure reuse of static passwords exposes individuals to the credential-stuffing attack used in this case. Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy.”
Nearly two-thirds (63%) of IT professionals are more concerned about data privacy and security than they were two years ago, but their poor online practices continue to drive cyber-risk, according to a new study published on the EU’s Data Protection Day.
Also known as Data Privacy Day in North America, the awareness-raising event was originally slated for January 28 13 years ago as this was the date that the Council of Europe’s data protection convention (Convention 108) was opened to signature.
However, while most of the respondents to Yubico’s study — who were IT and information security pros in the US, UK, Germany and France — said they were increasingly concerned about privacy, bad habits persist.
Some 69% admitted they had shared passwords with colleagues, and over half (51%) reuse an average of five passwords across business and personal accounts. Over half (55%) don’t use two-factor authentication at work and 67% do not use it for personal accounts.
These findings are especially concerning given that IT professionals should theoretically be leading by example in organizations and society at large by following best practices in security and privacy. They also hold the keys to privileged corporate accounts and so represent a major target for hackers.
Even more concerning is the fact that 51% of those polled said they’d suffered a phishing attack at home and 44% at work, but over half (57%) of these claimed it didn’t affect their password behavior.
Thanks to the GDPR, consumers and organizations around the world are becoming more privacy-aware. Google was recently fined €50m in France in the first major investigation by regulators, with experts predicting many more will follow for both privacy and security infractions.
Aside from the 'stick' of regulatory fines, the likes of the ICO are hoping that the 'carrot' of improved transparency, operational efficiency, competitive differentiation and security, will encourage organizations to get compliant.
A Cisco study of over 3000 global security and privacy professionals released last week claimed that only 37% of GDPR-ready companies experienced a data breach costing more than $500,000, versus 64% of the least GDPR-ready firms.
In addition, those investing in GDPR compliance experienced shorter delays due to privacy concerns in selling to existing customers: 3.4 weeks as opposed to 5.4 weeks for the least GDPR-ready organizations.
UK firms were among the leaders globally, with 69% claiming to be GDPR-ready, compared to just 42% in China and 45% percent in Japan.
The UK’s privacy regulator has warned businesses to prepare now for a potential Brexit 'no deal,' claiming they may have to put in place standard contractual clauses to ensure unhindered data flows.
With Theresa May’s government still refusing to rule out the prospect of allowing the country to exit the EU without a deal, businesses should get to planning their response, argued information commissioner, Elizabeth Denham.
Although London will allow personal data flowing from the UK to European Economic Area (EEA) countries unhindered, the same will not be true of data coming into the UK, meaning businesses should start by mapping data flows.
“You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’,” said Denham.
“It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.”
Even companies transferring data to and from parent organizations in Europe will need to put in place additional measures, with standard contractual clauses mentioned several times in the blog post.
“There are many mechanisms companies can use to legitimize the transfer of personal data with the EEA and standard contractual clauses is one of those. We have produced an online tool to help organisations put contract terms in place providing the lawful basis for the data transfers. Companies that need to act would also benefit from Leaving the EU - six steps to take guidance for more information,” said Denham.
“You know your organization best and will be able to use our guidance to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.”
Companies expecting an “adequacy” decision to be made on exit day to ensure unhindered data flows will also be disappointed, said Denham.
Negotiations to secure this will take “many months” and can only begin once the UK has left the EU, so alternative arrangements like standard contractual clauses will need to be put in place in the meantime.
The complexity, extra cost and effort required for firms to replace existing rules and frameworks is a microcosm of the Brexit process in general, which one former WTO boss described as being “as difficult as removing an egg from an omelette.”
A staggering 193,000 was raised for counselling service Childline at the White Hat Ball last Friday, January 25.
The annual fundraising event, organized by a committee of dedicated volunteers from the information security sector and now in its 14th year, was held at London’s Lancaster Hotel. The evening was hosted by TV presenter, writer and musical artist Nick Knowles and included speeches from Childline founder Dame Esther Rantzen and White Hat Ball committee members.
Guests enjoyed a champagne reception, three-course dinner followed by live music and dancing and various fundraising activities including a raffle, silent and live auctions.
Childline was founded in 1986 and is a free, private and confidential service for anyone under 19 in the UK, providing trained support for young people dealing with a wide range of issues. In 2006, Childline became part of the NSPCC.
“Each year the White Hat Ball raises a fantastic amount of money for Childline, a cause we are incredibly passionate about,” said chairman of this year’s White Hat Ball committee, Mark Logsdon. “Thanks to all of those involved in making it happen, our sponsors and those who attended, donated and gave so generously.”
“I’m extremely proud to be part of an industry which has made such a difference to so many children and young people over the past 14 years.”
Childline president, Dame Esther Rantzen DBE, added: “At Childline we’ve become more aware of the dangers of the online world and it’s wonderful to have the support of an industry which is determined to help keep the internet safe.
“The money the information security and risk industry have raised will help us be there for more young people, some of whom are in desperate need of our help.”
Over 160,000 UK taxpayers have demanded that the HMRC delete biometric voice recordings collected without their informed consent.
Big Brother Watch has been running a campaign into the tax office’s use of a voice identification system, first launched in 2017.
Having captured biometric data on millions of taxpayers, the system is now linked to “one of the largest known state-held voice databases in the world,” the group claimed.
However, this has come at the expense of user privacy.
The group revealed last year that when individuals called HMRC’s tax credits and self-assessment helplines they were automatically required to create a voice print.
The opt-out option was not immediately obvious — the only way users could follow this route was apparently by saying “no” three times.
The ICO is now investigating whether HMRC broke the GDPR by failing to obtain explicit consent from users, that is “freely given, specific, informed and unambiguous.”
“It is down to the ICO to take robust action and show that the government isn’t above the law,” Big Brother Watch said in a statement.
In the meantime, large numbers of taxpayers are exercising their right to erasure under the new data protection law.
The HMRC is also said to have changed the system so as to offer callers a clear opt-out should they wish.
However, over seven million users are currently enrolled in the scheme, which the tax office claims is a quick and easy way to authenticate and access accounts over the phone.
“All our data is stored securely and customers can opt out of Voice ID or delete their records any time they want,” it said.
The news was released, appropriately enough, ahead of the EU’s Data Protection Day today, an event designed to raise awareness of privacy issues among users and businesses.
Multiple consumers have reported being terrified after hackers infiltrated the Nest cameras in their homes, with one malicious actor making claims of a North Korean missile threat, according to CBS News.
California resident Laura Lyons reported that malicious actors gained control of her Nest security camera, which belted out a terrifying emergency alert warning them to find shelter because three missiles from North Korea were headed to the US.
Another family in South King County, Washington, reported a hacker gained access to their Nest security camera and verbally assaulted the mother and children, according to K5 News.
What consumers might not understand, though, is that it’s not vulnerabilities that are causing this. “It is the reuse of existing passwords that have already been exposed in previous attacks,” said Laurence Pitt, security strategy director, Juniper Networks.
“If people want to keep these important devices safe, they need to use strong and unique passwords at a minimum, and make the investment in a password management tool (1Password, my favorite, or LastPass, for example). This can help to create strong passwords and then stores them in a safe place so that there’s no need to try and remember them all,” Pitt said.
In a prepared statement shared with Infosecurity, Nest confirmed that there indeed was no vulnerability or breach. “These recent reports are based on customers using compromised passwords [exposed through breaches on other websites]. In nearly all cases, two-factor verification eliminates this type of the security risk.
“We take security in the home extremely seriously, and we’re actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.”
News of the hacks has raised questions about who is responsible for the security of in-home connected devices. “Consumers will need to rethink how much of a security risk they’re willing to take in exchange for the convenience of a connected device, appliance, or car,” said Pat Ciavolella, digital security and operations director for The Media Trust.
"The problem with consumers, as I see it, is understanding the security vs. convenience trade-off. It's a tough choice for companies to make: potentially frustrate a customer by forcing them to do a password reset or allowing the customer to have convenience at the expense of their privacy and/or security,” said Lisa Plaggemier, chief evangelist, InfoSec Institute.
“Consumers are very quick, it seems, to choose convenience. Even when consumers exhibit bad security habits that make them vulnerable (in this case, using the same password on multiple accounts), when something goes wrong, the consumer blames the device provider.
“Bottom line: If more companies would adopt the measures Google is putting in place (forcing password resets, and preventing breached credentials from being reused), I think consumers would start to accept it as 'normal' instead of an inconvenience.”
Executives at financial services companies are increasingly concerned about risks, but as technology becomes more integrated in managing financials, more executives say that cybersecurity is increasingly becoming the most important type of risk, according to a new Deloitte survey, Global Risk Management Survey, 11th Edition.
When asked which risk types would grow in importance over the next two years, 67% of financial services executives named cybersecurity, according to the report, up from 41% in 2016.
Despite identifying the increased risk from cyber, approximately half of the respondents said their companies are extremely effective or very effective at managing this risk. When looked at in different categories, 58% of respondents said rated their organizations as effective at managing disruptive attacks, 57% for financial losses or fraud, 54% for cybersecurity risks from customers and loss of sensitive data, and 53% for destructive attacks.
When asked about managing risks from nation-state attacks, though, only 37% of financial services executives felt their institutions were effective.
Still, the study reflected a continued growth in cybersecurity risk awareness, with only 31% of respondents saying it is a challenge to "get the businesses to understand their role in cybersecurity risk," down from 47%.
The concerns are not unwarranted, particularly given the news that more than 24 million banking and financial records were left exposed. Protecting the financial services sector from increasing cybersecurity risks is one reason banks, fintech companies, data aggregators and others have joined a nonprofit by FS-ISAC with the goal of creating and supporting a unified API standard that allows consumers and businesses to share data with greater confidence and control.
“Balancing financial innovation with the critical need for data security is one of the main reasons we created the Financial Data Exchange (FDX),” said Don Cardinal, managing director of FDX. “This is the first time the industry has come together to fund a single standard that secures financial data sharing.”
Google Cloud Platform (GCP) services have been targeted by a newly discovered malware campaign delivering malware via PDF file decoys, according to Netskope Threat Research Labs.
Attackers are reportedly using the Google Cloud App Engine platform to deliver malware with PDF decoys, identified as PDF_Phish.Gen, and GCP URLs that redirect victims to malicious payloads. The research conducted by the team verified evidence of these attacks targeting governments and financial firms worldwide, with multiple decoys possibly linked to the Cobalt Strike advanced persistent threat (APT) group.
The team reportedly detected several targeted attacks predominantly in the banking and finance sector, all of which were EML files that carried an .eml extension and contained the same detection name, which triggered alerts.
“This targeted attack is more convincing than the traditional attacks because the decoy deceives the victim with a GoogleApp Engine URL which is abused to redirect the victim to the malware. As the payload seems to be originating from a trusted source, the chance of falling victim to such attacks is very likely,” researchers wrote.
Though PDF readers typically warn users about potential security risks with document that are connects to a website, researchers said, “Once 'remember this action for this site' is checked for a domain, this feature allows any URL within the domain without any prompt.” Leveraging this default option allows the attacker to successful execute multiple attacks without prompting the security alert.
Each of the files used in the attack reportedly downloaded Microsoft Word documents with obfuscated macro code or PDF documents as the second-stage payload.
“The PDF decoy detected in our customer instances downloaded a word document named 'Doc102018.doc' containing obfuscated macro code...On execution, the victim is presented with a message to enable editing and content mode to view the document,” the report said.
The research suggests that continued adoption of the platform will create an increased cyber-attack surface where hackers can target the infrastructure.
Security researchers have warned of a new malvertising campaign using steganography techniques to target Apple users.
The VeryMal group has run multiple campaigns since August 2018, attempting to redirect users to the veryield-malyst domain, according to Confiant security engineer, Eliya Stein.
As many as five million users may have been subject to the most recent campaign, which used steganography to hide the payload from security tools.
“As malvertising detection continues to mature, sophisticated attackers are starting to learn that obvious methods of obfuscation are no longer getting the job done,” explained Stein.
In this case the campaign is designed to drop a trojan known as Shlayer, an adware installer which uses “an atypical installation routine” in a bid to evade detection.
VeryMal campaigns are typically only active for a few days, in this case from January 11-13 on two top-tier exchanges representing around a quarter of the top 100 publisher sites, Stein added.
US-based Mac and iOS customers are the target for VeryMal.
This could be hurting the ad industry dear. Confiant calculated the financial impact of just one day of this campaign at over $1.2m — factoring in publishers losing money from interrupted user sessions and increased use of ad blockers by disgruntled users in the future.
Ad exchanges also lose out from having inventory access cut off, and advertisers suffer ad fraud from infected devices, not to mention users with infected machines, explained Stein.
Confiant detected and blocked over 191,000 impressions across its publisher customers for this campaign, whilst a further two in December apparently yielded over 437,000 impressions.
A UK-based cybersecurity vendor has detailed how it turned the tables on an angler phishing operation posing as Virgin Media support on Twitter.
This particular type of phishing attack is a relatively new tactic. It involves the scammer registering fake Twitter accounts that masquerade as legitimate customer support and then monitoring the real support accounts for irate customer messages.
They then jump in quickly to exploit the customer’s frustration and the immediacy of Twitter to send messages back to those customers, typically loaded with malicious links.
This is what happened to a member of the team at pen-testing firm Fidus Information Security when they complained to Virgin Media via Twitter.
After receiving replies from the official account and a legitimate-looking fake they decided to have some fun.
First, they attempted to test how gullible the scammers were, providing a fake name (Wade Wilson, aka comic book character Deadpool) and address (Savile Row police station).
The scammers subsequently requested card details linked to the Virgin Media account, to which Fidus replied with a set of test credit card details.
After the card didn’t authorize for the scammers, they tried to persuade their ‘victim’ into handing over details to another card. At the same time, the security vendor was in turn trying to trick them into clicking on a link to site hosted by its company, to expose their IP address.
In the end the firm faked a screenshot of an AmEx fraud alert SMS featuring its own phishing link requesting that the user click to verify their card details.
That appears to have been enough to phish the phishers.
“After sending a fake SMS message we received a click on our web server. At this point the game was up as the IP linked back to our website and we never received a reply back,” the vendor explained.
“We reported this all back to Twitter, who’ve since suspended the account, and Police in the UK in the hope some action can be taken against those responsible.”
Cybercrime against UK households is more common today than robbery of theft offenses, according to the latest Office of National Statistics (ONS) figures.
The Crime in England and Wales survey (CSEW) is based on survey questions posed mainly to households by the ONS.
It calculated that computer misuse affected 1.8% of the UK population in the year ending September 2018, about the same as violent crime, but more than robbery (0.3%), “theft from the person” (0.8%), and “other theft of personal property” (1.3%).
The survey estimated around a million computer misuse offenses against UK households during this time period, although this figure has dropped by a third (33%), thanks to a major 45% fall in computer virus-related incidents.
Action Fraud data was also broken down in the report, as although it covers a smaller volume of offenses (24,000), it does include figures on cybercrime reported by businesses, which the CSEW does not.
It also reported a drop in reported computer viruses of 25%, but overall computer misuse crime jumped 12% over the period.
This figure is thought to have been driven by an increase in “hacking – social media and email” crimes over the 12 months.
“This is thought to reflect an increasing awareness of falling victim to hacking among the public, leading to a greater likelihood of incidents being reported,” the ONS claimed.
Fraud figures didn’t change significantly from the previous year, with online scams now accounting for 56% of the total, or 1.9m incidents, according to the report.
Fraser Kyne, EMEA CTO at Bromium, said the findings chimed with trends observed by his company over the past two years.
“Last year there was a 145% rise in malware, but this year that dropped by 25% as hackers switched tactics to hijack email and social media accounts,” he explained.
“The risk here for organizations is that hackers are still exploiting the weakest link in security, people. It is also worth noting that Action Fraud’s stats only reflect reported crime. These detected events prove that hackers are still bypassing defenses; but we must also assume that malware is breaking through and remaining undetected.”
A new cybersecurity curriculum targeting junior Girl Scouts aged 9-11 aims to shift the image of the young girls in green from cookie distributors to cyber defenders, according to news from Hewlett Packard Enterprise (HPE).
HPE has teamed up with the Girl Scouts to launch a cybersecurity education program specifically for young girls to learn and test out their cyber savvy using a newly debuted interactive online game. The game is dubbed Cyber Squad, and the program is initially being rolled out with Girl Scouts of Nation’s Capital, in counties throughout Washington D.C., Maryland and Northern Virginia.
The narrative game was custom-designed specifically for the Girl Scouts pro bono by HPE’s women in cybersecurity group. Cyber Squad takes players through mock scenarios and simulates the consequences of both risky and safe online behaviors.
At a time when 86% of girls engage in online chats unbeknownst to their parents, this new educational tool is critical to keeping young women safe online. Given that 69% of teens regularly receive electronic exchanges from strangers and don’t share that information with their parents, they are becoming increasingly vulnerable to negative online behaviors and privacy risks. In fact, according to HPE’s press release, 27% of young people willingly agree to in-person meetings with someone they have only met online.
“Kids are becoming more mobile, networked and connected, but this also comes with alarming risks and dangers. Making basic cybersecurity awareness at a young age is imperative, and as fundamental as safety skills in the physical world, like learning how to cross the street,” said HPE chief information security officer Liz Joyce in a press release.
“As someone who tackles cyber risks and crime by day and goes home to a young daughter at night, I know just how critical this education is. Through this collaboration, we hope to arm Girl Scouts with the cybersecurity literacy and knowledge they need to be savvy, secure and safe online, and to empower them to be good digital citizens.”
To address the growing concerns of online behavior and communication, the curriculum will cover four crucial areas, including personal information and digital footprint, online safety, privacy and security, and cyber-bullying.
Those Girl Scouts who complete the game and a corresponding curriculum (taught via troops) will earn an embroidered patch for their uniforms certifying their newfound knowledge. The curriculum and game are intended to foster cyber and STEM smarts in fun and relatable way.
The British public is dead-set against the use of drones, with the vast majority believing that as they continue to represent a national security risk and that cyber experts must do more to mitigate the threat from above.
Think tank Parliament Street polled 2000 members of the public to compile its latest report, Drones 4 U.
It appears as if recent incidents at two London airports has had a major impact on the public perception of unmanned aerial vehicles (UAVs).
Three-quarters (75%) believe them to be a national security threat, with only 2% disagreeing, according to the report.
Over a third (38%) said they want to see drones banned altogether, but a larger number (83%) backed a mandatory licensing system for owners similar to firearm regulations.
The vast majority (83%) of those surveyed also believe the UK is failing to keep up with the threat of developments in drone technology, and a similar number (84%) want cyber experts to do more to help during serious incidents.
Drones flying over Gatwick Airport caused chaos last month as both runways were forced to close, leading to an estimated 800 cancelled flights affecting 120,000 passengers over several days. The incident was a much worse repeat of a 2017 closure of the same airport due to UAVs when a runway was shut for 14 minutes.
A similar problem hit Heathrow Airport earlier this month.
Such incidents are becoming increasingly frequent. According to Parliament Street, drones have flown dangerously close to passenger aircraft in the airspace around Gatwick at least five times over the past four years.
There are also concerns over drones potentially being hijacked by hackers and used to cause incidents like the ones above.
PwC warned last year that GPS receivers are a major weakness in civilian drones as they’re dependent largely on unencrypted signals.
“Without secure authentication mechanisms, location spoofing is possible. The internal measurement units rely on data from other sensors on the drone and measure direction of travel — if they are fed incorrect information, the drone’s course or altitude could be altered,” it added in a blog post.
“Another potential vulnerability is the functionality to configure a drone to ignore communications from the ground during flight. This is meant to be a safety control, but it could be attractive to threat actors looking to cause harm … it is important that end-to-end security is employed to secure any drone-enabled service.”
Security researchers are warning of a newly discovered and highly sophisticated strain of modular ransomware featuring special capabilities to resist analysis.
Dubbed “Anatova” by McAfee, the malware has been detected across the globe, in the US, UK, Russia, Italy, Sweden and beyond. It was discovered in a private P2P network, using a game or application icon to trick users into downloading it.
Compiled on January 1 this year, Anatova is believed to have been created by “skilled malware authors.”
Each sample analyzed by McAfee had its own unique key, a rarity in the ransomware world, and featured strong protection against static analysis.
Most strings are encrypted, using different keys to decrypt them, and 90% of calls are dynamic and use only standard Windows APIs and C- programming, the vendor claimed. The malware also initiates a memory cleaning procedure if it comes across one of a list of usernames commonly used by virtual machines/sandboxes.
Files are encrypted via Salsa20 and the malware will also hunt down any files on network shares, with 10 DASH coins ($700) demanded in return for decryption.
“Finally, when all steps are completed, the ransomware will follow the flow of cleaning code…mainly to prevent dumping memory code that could assist in creating a decryption tool,” McAfee explained.
The ransomware is modular in architecture, leading to speculation that its authors could package these capabilities up with information-stealing or other functionality to improve the chances of monetizing attacks.
The findings highlight the fact that ransomware remains a major threat to organizations, despite more publicity being focused on crypto-mining in 2018.
Earlier this month the Texan city of Del Rio warned that it had been hit by a major ransomware-related outage.
Europol last year warned that ransomware would be a top threat to businesses for years to come.
Google is under investigation in Sweden over alleged breaches of the GDPR, just days after it was issued with a major €50m fine in France.
Swedish regulator Datainspektionen revealed earlier this week that it launched the investigation into collection of Android users’ location data, after receiving a complaint from the Sveriges Konsumenter (Swedish Consumer Association) linked to allegations in an earlier report by Forbrukerrådet (the Norwegian Consumer Council).
“In summary, the complainant holds that the way Google provides itself access to the location data of users of its mobile operative system Android by ways of its so called ‘Location History’ and ‘Web & App Activity’ is in breach of the GDPR,” the authority said.
“According to the complainant, the report by Forbrukerrådet states that Google use deceptive design, misleading information and repeated pushing to manipulate users into allowing constant tracking of their movements. In essence, the complainant holds that the processing of location data in this way is unlawful and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR.”
A supervisory letter sent to the web giant requests more information and answers to a series of questions by February 1.
Specifically, it wants to know the total number of Swedes who have had location data slurped through the services and how many data points are gathered on average per individual, broken down for every hour of the day.
It asks for privacy policies, data impact assessments and records of processing activities, and wants to know the legal basis for processing, why data is being collected, and when and how consumers are notified, among other details.
The investigation highlights the continued scrutiny of firms under the GDPR. Although we have yet to hear about a major investigation undertaken due to concerns over data security, one is surely not far away as the regulators begin to flex their muscles.
What was reported earlier this week as only two Elasticsearch database misconfigurations that left millions of bets and thousands of personal records exposed has evolved into a trove of disclosures involving more than 24 million banking and financial records at several organizations, including Bancolombia, according to security researcher Bob Diachenko.
As the week has progressed, Diachenko has revealed the names of different organizations that were part of his Elasticsearch discovery, including Citi and Ascension, a data and analytics company. Today, Diachenko has revealed his exchange with yet another company, Bancolombia, whose database misconfigurations left records exposed.
In an email to Infosecurity, Diachenko wrote:
To discover data breaches, leakages, and vulnerabilities on the Internet, we at SecurityDiscovery.com use public search engines only, such as Shodan, Censys etc. When we find a public database (data that’s fully accessible to anyone without any restrictions) we collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, we employ a Responsible Disclosure model to privately communicate the findings with data owners (the company or organization that left the information publicly accessible) and help them implement specific security safeguards to protect their private data.
On Nov 29th I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information (credit cards details) was related to Bancolombia, so I decided it would be the quickest possible solution to prevent this data from being stolen and report the incident directly to bank authorities.
Shortly after I contacted Bancolombia, instance has been secured (Nov. 30) and on the next day I was contacted by a representative of a company that managed the data, Waumovil, who thanked me for the heads up and said that "unfortunately we had some open ports that I was not aware”.
In an attempt to get ahead of what has been dispersed on social media, Bancolombia responded to Diachenko, asserting that none of its systems had been compromised but that the information was “stolen at trade,” according to a translation of the statement.
"We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cyber-criminals to manage the entire system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains," Diachenko said.
"Although the company reacted fast to secure their data it is unclear how long it may have been publicly available or who else might have accessed the files. Data privacy and data protection laws like GDPR are a good first step but companies and charities need to be proactive when it comes to data protection."
Enterprises around the globe have seen a surge in compromises resulting from phishing attacks, so much so that phishing has surpassed ransomware by an overwhelming margin, according to Proofpoint.
According to the new 2019 State of the Phish report, last year saw a 65% increase in enterprises compromised by phishing attacks, with credential compromises rising by more than 70% to become the most commonly experienced attack in 2018.
The comprehensive study analyzed tens of millions of simulated phishing emails in its survey of nearly 15,000 information security professionals and 7,000 end users across 16 different industries.
As cyber-criminals continue to focus their attention on people rather than technologies, the study found that many end users “are relying on IT teams to automatically discover and fix accidental downloads of malicious software. The lack of clarity with regard to the role of IT in attack prevention could be giving users a false sense of security and unnecessarily taxing infosec resources.”
While the report reflected a global average of 66% of end users who know what phishing is, more than half of the respondents (55%) reported that they do not know what smishing is and 63% were unfamiliar with vishing. Though ransomware awareness has improved, there has been little growth in phishing awareness for users in the US, UK and Germany.
In fact, from 2017 to 2018, the average number of users who said they know what phishing is actually declined in the UK and Germany. When broken down by age group, the 54+ population seem to have the greatest awareness, with 73% correctly defining phishing, while only 47% of those aged 18-21 were able to correctly do so.
“Baby boomers and Gen X respondents (ages 38-53) exhibit much stronger recognition of phishing and ransomware, which we feel is likely due to longer-term exposure to security awareness training about these topics,” the report said.
“Millennials and their younger counterparts are strongest in recognition of smishing and vishing, two more recent threat vectors –though less than a third of each group responded correctly, so not a great showing overall.”
As 2018 rounded to a close, Malwarebytes predicted that Emotet and Trickbot were the future of malware, and the third annual State of Malware Report released today confirms that the Trojan families spread wildly, most often targeting the education, government, manufacturing and healthcare sectors.
The old adage, "When one goes up, the other comes down," rang true with malware attacks in 2018. By the second quarter of the year, there was a notable decline in crypto-mining attacks, which saw only a 7% year-over-year increase; however, there was significant rise in information-stealing malware. The former banking Trojans Emotet and TrickBot plagued the education industry, while manufacturing suffered attacks from WannaCrypt and Emotet.
“The year 2018 was action-packed from start to finish,” said Adam Kujawa, director of Malwarebytes Labs, in a press release. “It began with threat actors diversifying their cryptomining tactics; broadening their reach to Android, Mac and cryptomining malware; and experimenting with new innovations in browser-based attacks.”
Seven categories of malware were detected within businesses, with Trojans, RiskWare tool, backdoors and spyware as the top four as a result of a more than 100% year-over-year increase. Vools was the top detection among backdoor compromises, according to the report.
“Year after year, we see cyber perpetrators finding new (and old) avenues for monetizing on their attacks. Regardless of whether it is ransomware, mineware or 'good old' Trojans and info stealers, the strategy is the same: find the weakest link and abuse it for initial infiltration, then deploy the 'profit module' of your choice," said Matan Or-El, co-founder and CEO of Panorays.
If the report offered any good malware news, it was that consumer attacks declined, despite business threats increasing by 79%. “Despite the focus on business targets, consumer malware detections only decreased by three percent year over year, thanks to increases in backdoors, Trojans, and spyware malware categories throughout 2018. While 2017 saw 775,327,346 consumer detections overall, 2018 brought with it about 25 million fewer instances of infection – a healthy decrease in number, percentages aside,” the report said.
Last year also witnessed a rise in rogue app attacks, with extensions that fooled both users and app stores into thinking they were legitimate. Also, as Infosecurity reported, Magecart covered a lot of ground in its widespread attacks on e-commerce sites.
Finally, sextortion made its way to the top 10 takeaways list. “Major scams for the year capitalized on stale PII from breaches of old. Phishing emails were blasted out to millions of users in extortion (or in some cases, sextortion) attempts, flashing victims’ old, but potentially still viable, passwords and warning them that they’d expose their secrets if they didn’t pay up.”
Last year cybersecurity professionals struggled to defend against increasing crypto-mining attacks, along with fileless attacks, ransomware and commodity malware, marking 2018 as the year of the next-generation of attacks.
“Modern cyberattacks appear to increasingly...reveal how clever attackers have become in evolving to remain undetected – using techniques such as lateral movement, island hopping and counter incident response to stay invisible,” the report stated.
The data analyzed in the study found that, in aggregate, enterprises saw approximately one million attempted cyber-attacks per day, though half of today’s cyber-attacks use the victim primarily for island hopping.
Governments around the globe experienced increased attacks that appeared to stem from Russia, China and North Korea. “Of the identified fileless attacks, variants of the malware Graftor were uniquely identified as the fileless payload. The FBI has high confidence that Graftor variants are used by North Korean cyber operations, also referenced as HIDDEN COBRA, to maintain presence on victim networks and to further network exploitation,” the report stated.
In addition the threat data revealed that computers/electronics, healthcare, business services, internet/software and manufacturing were the five industries most targeted by cyber-attacks in 2018.
Kryptic was the most commonly used ransomware variant in 2018, and the five industries most targeted with ransomware were manufacturing, business services, retail, government and computers/electronics.
The data also showed that the average endpoint “was targeted by two cyberattacks per month throughout 2018. At this rate, an organization with 10,000 endpoints is estimated to see more than 660 attempted cyberattacks per day.”
Another key finding of the study found that approximately $1.8 billion of cryptocurrency-related thefts transpired last year, up from the $1.3 billion in total losses reported by the FBI in 2016, and cyber-criminals have largely shifted from Bitcoin to Monero as their currency of choice.
“Of the identified attacks, cryptocurrency exchanges are the most vulnerable target for cybercriminals. Attacks on these exchanges account for just over 27% of all reported incidents. These exchanges represent prime targets for cryptocurrency theft, fraud and harvesting of user information for follow-on targeting by these same criminals.”
A security researcher with the Qihoo 360 Vulcan Team, Qixun Zhao (@S0rryMybad), has revealed the second stage of an exploit chain in which he was able to remotely jailbreak the latest iOS system on iPhone X.
In a January 23 blog post, Zhao released the proof of concept (PoC) of a kernel vulnerability that can be reached in the sandbox, which he dubbed Chaos. For the benefit of beginners, he provides what he calls elaborate details on the tfp0 exploit, though he does not reveal the exploit code.
Instead, he stated, “if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release. At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community.”
Zhao does demonstrate the jailbreak in a video posted to Twitter..
Following his intuition, Zhao said he believed there would be a path that would cause a leak, which he found could be exploited before iOS 12 even started in the sandbox.
Noting that the bug has been fixed in the most recent version, Zhao wrote, “As soon as I saw the code I felt that this part of the code is definitely lacking review and the quality is not high enough. After all, the code that can be directly reached in the sandbox, that means the kernel developer may not be familiar with the rules for generating MIG code. This information is more important than finding the bug in the above.”
Despite the misguided belief that PAC mitigation was the end of UaF or jailbreak, Zhao said the UaF hole can still be used in the PAC environment. “We can see that in the whole process of getting tfp0, we didn't need to control the pc. This is because there was a port property value in the object ipc_voucher we released. The exploitation of the UaF vulnerability depends greatly on the data structures of the released object, as well as how to use them, since in the end we have to convert to type obfuscation."