Info Security

Subscribe to Info Security  feed
Updated: 17 min 31 sec ago

Attackers Spy and Steal from Financial Firms

Wed, 06/20/2018 - 16:42
Attackers Spy and Steal from Financial Firms

In an attempt to steal sensitive data, cyber-criminals have been targeting financial firms by building hidden tunnels in order to break into networks. According to a report released today by Vectra, these attack behaviors are the same as those that led to the 2017 Equifax breach. 

According to a new report, 2018 Spotlight Report on Financial Services, attackers are able to gain remote access through the use of command-and-control (C&C). In the data analyzed, attackers had established nearly 30 web shells accessible from approximately 35 different public IP addresses, which allowed them to exfiltrate data while going undetected.

Attackers often leverage hidden tunnels to infiltrate networks with strong access controls because legitimate applications also use hidden tunnels to bypass security controls that can sometimes compromise full functionality. That's why it's a successful attack method.

"Every industry has a profile of network and user behaviors that relate to specific business models, applications and users," said Chris Morales, head of security analytics at Vectra. "Attackers will mimic and blend in with these behaviors, making them difficult to expose."

In this latest discovery, Vectra detected more hidden C&C tunnels and more than twice as many hidden data-exfiltration tunnels per 10,000 devices in financial services than all other industries combined. 

To evade firewalls, attackers use special tunneling tools to move laterally, stockpiling data from database after database as they go. They were able to amass so much data that it then needed to be divided into smaller stockpiles so that no alarm bells went off during exfiltration. 

"All this points to one painful fact: The largest enterprise organizations in the world remain lucrative targets for sophisticated cyber-attackers. Security breaches across multiple industries forge ahead in an upward trajectory, and the financial services industry is no exception," the report said.

Categories: Cyber Risk News

Cyber Group Targets Satellites, Telecom

Wed, 06/20/2018 - 16:23
Cyber Group Targets Satellites, Telecom

A cyber-espionage group infiltrated satellite, telecom and defense companies in the US and Southeast Asia, and evidence suggests that the campaign's objective was espionage. Identified by Symantec and announced on 19 June, the campaign originated from machines based in mainland China, according to researchers.

Thus far, the analysis suggests that the defense, telecom and satellite sectors – more specifically, the geospatial sector – have been targeted. In the geospatial sector, the group targeted computers running MapXtreme GIS (geographic information system) software, used to develop custom geospatial applications and to integrate location-based data. Not surprisingly, machines running Google Earth Server and Garmin imaging software were also targeted.

“The Thrip group has been working since 2013 and their latest campaign uses standard operating system tools, so targeted organizations won’t notice their presence,” said Greg Clark, Symantec CEO, said in a press release. "They operate very quietly, blending in to networks, and are only discovered using artificial intelligence that can identify and flag their movements. Alarmingly, the group seems keenly interested in telecom, satellite operators, and defense companies. We stand ready to work with appropriate authorities to address this serious threat."

Because attackers are moving laterally in order to infect satellite monitoring and controlling devices within a satellite communications operator, the threat has the potential to be very disruptive. In a 19 June blog postFortinet said this component of the threat suggests that the group likely wanted to gather intelligence, exfiltrate data and disable the satellites.  

“Thrip exemplifies the growing urgency for being able to quickly and reliably detect lateral movement across the network,” said Anthony Giandomenico, senior security researcher, Fortinet FortiGuard Labs. However, defending against an advanced threat such as Thrip requires a number of critical security strategies to be in place.

Attackers rarely find what they are looking for in their first compromised device, which is why they then move laterally in search of the systems they need to accomplish their goal. Moving through the systems also allows them to "establish a stronger foothold to increase the difficulty of properly removing the malware from the network," Giandomenico said.

“Detecting an initial compromise can be very difficult, even with sophisticated security measures in place, as it usually happens very fast and often uses advanced evasion techniques to disguise the attack," Giandomenico continued. "This sort of countermeasure requires keeping up with the latest techniques adversaries are using while being proactive in finding and addressing existing network blind spots and control gaps.”

Categories: Cyber Risk News

Nation-State Actions Could Negatively Impact Businesses

Wed, 06/20/2018 - 15:22
Nation-State Actions Could Negatively Impact Businesses

In today’s interconnected world, it’s more likely that politics and social unrest the world over could have significant impact on today’s digital business. That’s according to Flahspoint’s Business Risk Intelligence Decision Report, which took a midyear look at the methods, motives and moves of nation-state actors.

“The relatively quiet first six months of 2018 could turn on a dime as midterm elections loom, tense relations in the Middle East persist, the U.S. leaves the Joint Comprehensive Plan of Action (JCPOA), sanctions against Iran tighten, and numerous other dramatic geopolitical developments continue to arise,” the report stated.

The report analyzed trends and indicators in threat actor reactions to, and prioritization of, activities with regards to global events and dynamics. From that analysis, Flashpoint developed a six-tiered capability and potential impact scale, with the sixth tier potentially having what the company defined as a catastrophic impact.

Results of the analysis rank China and Russia at a Tier 6 – the greatest threat – across most verticals, with the exception of retail. Though state-sponsored cyber activity coming from Russia has been quiet thus far this year, “the apparent lack of cohesion between Europe and the US in dealing with Russian offensive cyber tactics may server to embolden Russia to continue expanding its cyber operations,” according to the report.

Activity from state-sponsored actors in China remained potent threats to private companies and government institutions. China has continued its internal crackdown on anonymity while increasing scrutiny of online activities and foreign corporate interests. In addition, The National Cybersecurity Law has driven cyber-criminals to either cooperate with authorities or move farther to the fringes in tools and techniques.

Also rated as potentially having a catastrophic impact is the intelligence-sharing arrangement between several Anglophone countries known as the Five Eyes. The report defines the Five Eyes as the group that “collectively represents the pinnacle of cyber capabilities related to cyber espionage and destructive or disruptive attacks."

"Yet they are not traditionally considered threat actors to Western entities," the report states, "because their activities are generally undertaken in support of national security objectives rather than for commercial or economic gain.”

Categories: Cyber Risk News

Misguided “Bitcoin Baron” Hacker Gets 20 Months

Wed, 06/20/2018 - 10:29
Misguided “Bitcoin Baron” Hacker Gets 20 Months

An inept cyber-criminal has been given a 20-month sentence behind bars after DDoS-ing the networks of a Wisconsin city, temporarily taking out its 911 center.

Randall Charles Tucker, 23, of Apache Junction, Arizona carried out the attacks on the City of Madison in 2015 as part of a wider DDoS campaign against various cities, according to the Department of Justice.

“In addition to disabling the City of Madison’s website, the attack crippled the city’s internet-connected emergency communication system, causing delays and outages in the ability of emergency responders to connect to the 911 center and degrading the system used to automatically dispatch the closest unit to a medical, fire, or other emergency,” the noticed read.

It’s unclear what his motivation was in launching the attack, although it came just days after a fatal shooting by a Madison police officer.

Tucker’s other exploits saw him DDoS the municipal computer systems in Phoenix suburbs Chandler and Mesa and user-generated video portal News2Share, the latter in a bid to persuade it to feature one of his videos.

These charges were reportedly dropped as part of the plea deal.

Tucker boasted of his crimes on social media, dubbing himself the “Bitcoin Baron,” and has also reportedly taken part in hacktivist campaigns like Anonymous #OpSeaWorld.

However, his attempts to portray himself as a moral crusader failed miserably. In one incident in 2015 he apparently DDoS-ed the city and police websites of San Marcos in Texas — demanding a local policeman who had assaulted a female college student be jailed and fired. That cop had already been sent to prison two years previously.

Tucker also launched an attack on a children’s hospital, reportedly defacing it with child pornography, which if true somewhat undermined his hacktivist credentials.

Alongside the jail sentence, Tucker was ordered by the court to pay restitution of over $69,000 to the victims of his attacks.

Categories: Cyber Risk News

Olympic Destroyer Malware is Back to Wreak Havoc

Wed, 06/20/2018 - 09:35
Olympic Destroyer Malware is Back to Wreak Havoc

The notorious Olympic Destroyer malware which disrupted the last Winter Games has resurfaced, targeting several countries in Europe as well as Russia and Ukraine, according to Kaspersky Lab.

The Russian AV company warned that the latest activity could spell the start of new destructive malware campaigns from the group behind the threat.

“In May-June 2018 we discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led us to believe that we were looking at the same actor again,” the firm explained.

“However, this time the attacker has new targets. According to our telemetry and the characteristics of the analyzed spear-phishing documents, we believe the attackers behind Olympic Destroyer are now targeting financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.”

Phishing emails were used to infiltrate and map out target networks ahead of a destructive campaign which disrupted the Pyeongchang Olympics earlier this year, leading the firm to speculate that this new activity could lead to similar.

It warned all biochemical-threat prevention and research organizations in Europe to bolster their defenses and run unscheduled security audits.

It’s not clear what the link between these new targets is, with the group behind it considered “a master in the use of false flags.” However, Kaspersky Lab claimed the TTPs and operational security techniques used by the group “bear a certain resemblance” to Sofacy/Fancy Bear/APT28, the notorious Kremlin hacking outfit that disrupted the 2016 US presidential election.

“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e. a group primarily interested in financial gain through cyber-theft and another group or groups looking for espionage targets,” the vendor concluded.

“This could also be a result of cyber-attack outsourcing, which is not uncommon among nation state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already excelled at this during the Pyeongchang Olympics to redirect researchers’ attention.”

Categories: Cyber Risk News

Hackers Steal $31m+ From South Korean Crypto-Exchange

Wed, 06/20/2018 - 08:46
Hackers Steal $31m+ From South Korean Crypto-Exchange

South Korean exchange Bithumb has been targeted by hackers for the second time in a year, this time losing over $31m in cryptocurrency.

A notice from the firm, one of the world’s largest digital currency exchanges, claimed that the attack began last night and was discovered this morning, with around 35bn won ($31.5m) taken.

The firm has halted deposits and withdrawals “for the time being” while it conducts a thorough review into what happened.

It claimed that all lost funds will be covered by Bithumb from its own reserve and that remaining assets were removed to a secure cold wallet.

Currencies affected are thought to include Ripple.

Bithumb is thought to be the sixth largest exchange in the world based on its trading volume of over $370m.

However, this isn’t the first time it has been a target for cyber-attackers.

Back in July 2017, hackers stole personal details on 30,000 customers after compromising an employee’s laptop. The resulting phishing campaign tricked them into handing over authentication codes which resulted in large scale theft from customer accounts.

The attacks continue to come thick-and-fast against digital currency exchanges. Bithumb rival Coinrail was targeted by hackers earlier this month in a raid which cost it $37m, around 30% of its total token/coin reserves. In December 2017, Slovenian cryptocurrency marketplace NiceHash was hit by a cyber-attack which led to losses of $64m.

The news will continue to serve as a warning to investors of the risks involved in putting money into the nascent cryptocurrency market.

North Korean hackers have been pegged in the past for spear-phishing attacks against cryptocurrency exchanges and illegal cryptomining, as they look to generate much needed funds for the Kim Jong-un regime.

IEEE member and professor of cybersecurity at Ulster University, Kevin Curran, argued that attacks on crypto-currency organizations have increased as the value of the currency has rocketed in recent years.

“If they do find your crypto-currency wallet or hack online crypto exchanges and transfer the coins — then it is basically gone forever. It is not that we cannot see which ‘wallet’ these ‘coins’ have been transferred into but rather that the stolen tokens can be transformed into ‘fresh’ tokens by using ‘mixing services’, which create new untraceable tokens,” he explained.

“Ultimately, remember that the European Banking Authority and others have warned that Bitcoin users are not protected by refund rights or chargebacks.”

Categories: Cyber Risk News

Email Mistake Costs Chicago School Employee a Job

Tue, 06/19/2018 - 16:42
Email Mistake Costs Chicago School Employee a Job

A Chicago Public Schools (CPS) employee will be removed from their position after accidentally sending a mass email that included a link to a confidential spreadsheet on Friday evening, 15 June. The email exposed the private data of 3,700 students and families, according to the Chicago Tribune. The link, which wasn’t removed until Saturday morning, revealed students’ names, email addresses, phone numbers and student ID numbers.

Affected families were notified via the following email:


Good evening,

Earlier today, in an unacceptable breach of both student information and your trust, we mistakenly included your private student and family information in an email to you and more than 3700 other families who were invited to submit supplemental applications to selective enrollment schools.

We sincerely apologize for this unintended disclosure and ask that you please delete the information in question.

We are taking this matter very seriously, and a review of this incident is underway to determine how this breach occurred and ensure a similar matter does not occur again. Additionally, we will be removing the responsible employee from their position because violating your privacy is unacceptable to the district.

If you would like to speak with someone regarding this matter, please contact 773-553-2060.


Tony Howard

Executive Director

CPS Office of Access and Enrollment

While the error will cost the employee their job, there is a greater question of liability as the employee was able to access a file stored on Blackboard that contained sensitive information without any required login.

CPS reportedly had initially believed that the file was an attachment, and it asked parents to delete the file. “So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard,” according to

In an email to Infosecurity Magazine, CPS wrote, “To ensure no one else is able to pull down the improperly disclosed information, CPS had the sensitive file pulled from the network so that no one could retrieve it again. We also asked anyone who downloaded the data to remove it from their system."

"To help ensure an improper disclosure of this nature does not occur again, we immediately put in place additional technical restrictions regarding personnel who can send messages of this nature," CPS continued. "Moving forward, we are exploring additional technical safeguards that would help prevent data of this nature from being disclosed."

Categories: Cyber Risk News

Tesla's Tough Lesson on Malicious Insider Threats

Tue, 06/19/2018 - 14:51
Tesla's Tough Lesson on Malicious Insider Threats

The potential damages a company can suffer from malicious insiders became a harsh reality for Tesla CEO Elon Musk, who expressed his disappointment at learning he had a saboteur within the Tesla ranks. The individual who allegedly engaged in damaging sabotage against Tesla was reportedly an employee disgruntled over not getting a promotion.

According to a report from CNBC, Musk sent an email to Tesla employees late Sunday revealing that a Tesla worker had engaged in “quite extensive and damaging sabotage” against the company. CNBC posted what it said was a copy of the email in which Musk said the sabotage included the use of false usernames to make changes to the code used in the Tesla Manufacturing Operation System, as well as “exporting large amounts of highly sensitive Tesla data to unknown third parties.”

As Musk noted, when an employee engages in such illicit activity, it is usually an act of revenge. "His stated motivation is that he wanted a promotion that he did not receive. In light of these actions, not promoting him was definitely the right move."

"This is a major reminder as to why privileged access management is a must-have for organizations that deal with sensitive information or personal information and why least privileged is a practice being adopted by many organizations,” said Joseph Carson, chief security scientist at Thycotic.

However, in a recent Raytheon-commissioned survey of IT security professionals, insider threats ranked low on the CISOs' priority lists, with only 36% saying they consider malicious or criminal insiders to be a high risk.

"Taking things at face value, this [act of sabotage] is basically a smorgasbord of cybercrime, and it could have affected any company anywhere. You have an insider threat. You have altered data affecting the factory operating system. You have leaked proprietary data. You have credential theft. And you have it all, apparently, at the hands of a disgruntled employee. It’s time to make insider threat a top priority," said Michael Daly, CTO, cybersecurity at Raytheon.

The reality that employees can act without regard for the best interest of the company will likely be a major lesson for Tesla, but it's not its only struggle right now. It also confronts ongoing issues in its electric vehicle plant. Less than 24 hours after alerting employees to the sabotage, Musk shared news of another fire in its factory, which happened during the evening of Sunday, 17 June.

Categories: Cyber Risk News

Google Home and Chromecast Expose Location Data

Tue, 06/19/2018 - 14:09
Google Home and Chromecast Expose Location Data

One of the consequences of constant connectivity is that the connected devices people use are vulnerable to attacks, which can expose not only personal but also location data, as a researcher from cybersecurity firm Tripwire recently discovered.

A new attack against popular home devices Google Home and Chromecast revealed a privacy issue: The devices can be used to find out where people live.

In an 18 June post, researcher Craig Young detailed how he used a technique called DNS rebinding to achieve code execution, allowing him to pinpoint precise locations of Google Home and Chromecast devices just by getting their users to open a website.

DNS rebinding uses a web browser to find devices on a user's network, a revelation that even surprised Young when he found not only that this attack is possible but also that Google was aware of the problem and had done nothing.

“It turns out that although the Home app – which allows users to configure Google Home and Chromecast – performs most actions using Google’s cloud, some tasks are carried out using a local HTTP server. Commands to do things like setting the device name and WiFi connection are sent directly to the device without any form of authentication,” Young said.

The discovery presents both a privacy and a safety issue for users that browse the web from the same Wi-Fi as a Google Home or Chromecast because it opens up the possibility of cyber-stalking. A website’s operator can learn a user’s location, which makes it possible for a predator to physically stalk a victim in the real world.

Moreover, Young believes it's important for users of these kinds of devices to understand the broader implications and risks of this new attack, as there is the "possibility of more effective blackmail or extortion campaigns. Common scams like fake FBI or IRS warnings or threats to release compromising photos or expose some secret to friends and family could use this to lend credibility to the warnings and increase their odds of success.”

As a method of mitigating exposure, Young said he has at least three distinct networks in his home at any given time so that if he is surfing the web on his main network, “a rogue website or app would not be able to find or connect to my devices. When using Chromecast, I need to then either switch networks temporarily or else use the sometimes glitchy ‘Guest Mode.’”

Categories: Cyber Risk News

Nearly Half of All Web Apps Vulnerable to Unauthorized Access

Tue, 06/19/2018 - 13:01
Nearly Half of All Web Apps Vulnerable to Unauthorized Access

New research from Positive Technologies has discovered that almost half (48%) of web applications are vulnerable to unauthorized access, with 44% placing users’ personal data at risk of theft.

What’s more, 70% of the apps Positive Technologies tested proved susceptible to leaks of critical information, whilst attacks on users are possible in 96% of them.

In fact, every app the firm assessed contained vulnerabilities of some sort, with 17% having vulnerabilities that would allow an attacker to take full control over the app.

The majority of detected vulnerabilities (65%) were a result of errors in application development – such as coding errors – with incorrect configuration of web servers accounting for a third of them.

However, the research did discover the percentage of web apps with critical vulnerabilities (52%) had declined for the second year in a row, down from 58% the previous year.

“Web application security is still poor and, despite increasing awareness of the risks, is still not being prioritized enough in the development process,” said Positive Technologies analyst Leigh-Anne Galloway. “Most of these issues could have been prevented entirely by implementing secure development practices, including code audits from the start and throughout.”

Speaking to Infosecurity Eoin Keary, founder and CEO, edgescan, agreed that steps need to be taken to improve application layer security.

“DevSecOps needs to be embraced such that security is throughout the development pipeline,” he said. “Application component security management (software components used by developers) is still not common place in terms of supporting frameworks and software components and is a common source of vulnerability.”

Categories: Cyber Risk News

US Fraudster Pleads Guilty to Using OPM Breach Data

Tue, 06/19/2018 - 10:10
US Fraudster Pleads Guilty to Using OPM Breach Data

A US woman has pleaded guilty to using data stolen in the notorious 2015 OPM breach to secure fraudulent loans.

Karvia Cross, 39, of Bowie, Maryland, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft and could theoretically face anything from two to 30 years behind bars.

She is said to have helped mastermind a wide-ranging fraud campaign, using OPM breach victims’ stolen identities to obtain personal and vehicle loans from Langley Federal Credit Union (LFCU).

“LFCU disbursed loan proceeds via checks and transfers into the checking and savings accounts opened through these fraudulent applications,” the Department of Justice explained. “Vehicle loan proceeds were disbursed by checks made payable to individuals posing as vehicle sellers, while personal loan proceeds were disbursed to LFCU accounts opened in connection with the fraudulent loan applications and transferred to accounts of others.”

Cross and others then withdrew the fraudulently obtained funds, the DoJ said.

Co-defendant Marlon McKnight pleaded guilty to the same charges on June 11.

The revelations are interesting as up until now the US government has blamed China for the devastating attack on the Office of Personnel Management. Some 22.1 million current and former US officials and their friends and family were caught in the breach, which included information on security clearance “background investigations” for military and intelligence roles.

That led many to speculate that foreign agents had co-ordinated the hack to obtain information which could be used to blackmail, coerce and intimidate US personnel and potentially even recruit spies.

It’s somewhat unusual therefore that the same data found its way presumably onto the cybercrime underground where fraudsters like Cross could access it, although there’s no official confirmation of this.

The breach itself was said to have been made possible after hackers stole credentials from a government contractor, something that could have been avoided with stronger security processes and implementation of multi-factor authentication.

Categories: Cyber Risk News

MPs: CNI Attacks Are UK's Biggest Cyber-Threat

Tue, 06/19/2018 - 09:37
MPs: CNI Attacks Are UK's Biggest Cyber-Threat

Attacks on critical infrastructure (CNI) represent the biggest cybersecurity threat facing the UK, according to MPs.

NCC Group polled a representative sample of 100 MPs from all main political parties and found 62% believed compromise of key sectors including transport and utilities to be the biggest risk to the country.

Although all parties agreed on this, they were divided in their views on other threats.

Over two-fifths (42%) of Conservatives claimed a compromise of nuclear capabilities to be one of the top two threats, versus just 14% of Labour MPs. On the other hand, 44% of Labour MPs considered democratic interference to be a major threat, compared to only 16% of Conservative MPs.

On a positive note, MPs do seem to appreciate the consequences of poor cybersecurity. Three-quarters (75%) claimed to be concerned that a breach of their personal email could negatively affect the cybersecurity of the House of Commons, while 73% said that their constituents’ privacy would be the biggest concern emanating from such a threat.

NCC Group’s global CTO, Ollie Whitehouse, welcomed the seemingly high levels of awareness of cyber-issues among MPs.

“In recent years, the government has been proactive in implementing initiatives to strengthen the UK’s stance against evolving technical and geopolitical threats which attempt to compromise the integrity of our nation,” he added. “MPs play a significant role in these initiatives, so it’s important to maintain continued education around modern threats and informed dialogue amongst all stakeholders. This will ensure that parliamentary staff at all levels understand the steps they need to take, in both their professional and personal lives, in order to address cyber-risk head on.”

However, in a keynote speech at Infosecurity Europe earlier this month, parliamentarian and dotcom pioneer Martha Lane Fox argued that politicians are dangerously ignorant when it comes to understanding technology.

“We need to upskill our legislators dramatically if we’re going to cope with the challenges of the coming years,” she said. “We are very far away from having policymakers equipped to deal with the scale of the challenge.”

Categories: Cyber Risk News

Experts Reveal Bugs in Hundreds of IP Cameras

Tue, 06/19/2018 - 09:02
Experts Reveal Bugs in Hundreds of IP Cameras

Security researchers have discovered seven vulnerabilities in nearly 400 models of IP camera from a well-known manufacturer, some of which could be exploited to remotely control the devices.

The team at security vendor VDOO made the discovery as part of wider research into a range of leading IoT products from a broad sweep of manufacturers.

It claimed to have responsibly disclosed the flaws to Axis Communications, which has since released new firmware to address the bugs in 390 models of its internet-connected surveillance cameras.

The vulnerabilities in question are: CVE-2018-10658, CVE-2018-10659, CVE-2018-10660, CVE-2018-10661, CVE-2018-10662, CVE-2018-10663 and CVE-2018-10664.

VDOO claimed that by chaining three of these together, attackers could access the camera login page remotely via the network without needing to authenticate.

With full control over the devices they could access or freeze the video stream, move the lens or turn motion detection off, conscript the device into a botnet for DDoS, Bitcoin mining and other ends and even use it as a beachhead into the main network.

“To the best of our knowledge, these vulnerabilities were not exploited in the field, and therefore, did not lead to any concrete privacy violation or security threat to Axis’s customers,” the firm concluded.

“We strongly recommend Axis customers who did not update their camera’s firmware to do so immediately or mitigate the risks in alternative ways.”

VDOO also released some guidance for IP camera device manufacturers, claiming to have uncovered plenty of “bad architectural practice.” This includes privilege separation for processes, input sanitization, minimum use of shell scripts and binary firmware encryption.

This isn’t the first time Axis Communications has been singled out for attention by security researchers.

In July last year, IT security firm Senrio revealed Devil’s Ivy, a major flaw in the widely used gSOAP web services toolkit which made its way into potentially tens of millions of devices, including those produced by Axis.

Categories: Cyber Risk News

Get Your Apps for Nothing, Your Malware for Free

Mon, 06/18/2018 - 14:22
Get Your Apps for Nothing, Your Malware for Free

Adware is easy money for cyber-criminals who install malware in advertisements. Researchers have discovered a new piece of malware dubbed Zacinlo that specializes in advertising fraud. According to Bitdefender, Zacinlo uses several platforms to pull advertising from, including Google AdSense.

Adware has long been used to augment the earnings of software developers who deliver free applications to consumers. It’s been a winning strategy for app developers whose products have landed in the hands of users around the globe, but the unspoken contract of "no financial strings attached" has been governed by the third-party advertisers. Advertisers absorbing the product’s cost in exchange for customer data is what gave rise to adware.

In a white paper released today, Bitdefender wrote that “adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.”

Zacinlo, spyware that has been running since early 2012, infects a user's PC and performs one of two tasks: it either opens invisible browser instances to load advertising banners and then simulates clicks from the user, or it changes ads loaded naturally inside the browser with the attacker’s ads in order to collect advertising revenue.

An interesting feature on this adware is that it includes a rootkit driver that protects itself, as well as its other components. Extremely rare and difficult to remove, rootkit-based malware is usually found in less than 1% of threats.

"Threats like Zacinlo clearly demonstrate that crime does pay. Advertising abuse has been known to happen for years, but Zacinlo takes this to a whole new level. The complexity and longevity, as well as the multitude of samples, shows that the team that operates it manages to defraud significant amounts of money from publishers and advertisers," said Bogdan "Bob" Botezatu, senior e-threat analyst from Bitdefender.

“Since the rootkit component attempts to subvert both the operating system and the security solutions running on top of it, I would highly recommend that – from time to time – users run a full security sweep," Botezatu said.

Categories: Cyber Risk News

Phishing Campaigns Target Sports Fans, Consumers

Mon, 06/18/2018 - 13:34
Phishing Campaigns Target Sports Fans, Consumers

Two phishing campaigns have been targeting consumers of both the FIFA World Cup and one of its longtime partners, Adidas. One campaign attempts to lure victims into clicking on a malicious link under the guise of downloading a World Cup schedule of fixtures and a result tracker, while the second promises a “free” $50-per-month subscription for Adidas shoes.

Today Check Point announced that it has discovered a new phishing campaign linked to the start of the World Cup that targets soccer fans. A known malware that is often used to install potentially unwanted programs (PUPs) and toolbars, adware or system optimizers called DownloaderGuide is embedded in the attachment. Researchers discovered nine different executable files delivered in emails with the subject: “World_Cup_2018_Schedule_and_Scoresheet_V1.86_CB-DL-Manager.” 

First identified on 30 May, Check Point said the campaign peaked on 5 June but has re-emerged since the start of the games. “Events that attract huge amounts of popular interest are seen by cyber-criminals as a golden opportunity to launch new campaigns,” Maya Horowitz, Check Point’s threat intelligence group manager, said in today’s press release.

“With so much anticipation and hype around the World Cup, cyber-criminals are banking on employees being less vigilant in opening unsolicited emails and attachments. As such, it is critical that organizations take steps to remind their employees of security best practices to help prevent these attacks being successful," Horowitz said.

The second phishing campaign, which targets Adidas customers, uses a different tactic, luring victims in with a homographic link that uses a vertical line in place of where the “i” in Adidas should be. “The use of punycode-based homoglyph email and web domains are an increasingly used technique to spoof users in email phishing attacks,” said Matthew Gardiner, cybersecurity expert, Mimecast.

“Given the thousands of possible iterations of a domain that are now possible with these internationalized domain names and the thousands of available top-level domains that are also available, such as .co, .cf, .ml and many others, there is no possibility of preregistering these domains to keep them out of the hands of the bad actors. The only reasonable approach is to have automated email security controls to detect these types of impersonation attacks to protect your organization. Expecting your users to figure it out is increasingly unrealistic,” Gardiner said.

Categories: Cyber Risk News

Risks of Operating Workloads in the Cloud

Mon, 06/18/2018 - 12:36
Risks of Operating Workloads in the Cloud

Misconfiguring buckets in Amazon Web Service (AWS) can leave an organization's sensitive data exposed, indicating the risks of operating workloads in the cloud. A new research report reveals the immediate risks and threats that can be created by deploying workloads in public clouds without the proper security guardrails, security services, or security best practices.

On 19 June, 2018, Lacework is scheduled to release its research, Containers at Risk, which discovered more than 22,000 container orchestration and application programming interface (API) management systems on the Internet – Kubernetes, Mesos, Docker Swarm, and more – highlighting the potential for attack points caused by misconfiguration and weak protocols. The large majority (95%) of the open admin dashboards were hosted inside of AWS.

"The immediate issue is that if somebody gets access to container orchestration systems, they can do anything within the console, from accessing information to the actual machines. One of the big messages here is that the security people in companies that are migrating to the cloud need to get back in the fold. They need to bridge this big gap that exists between developers and security," said Dan Hubbard, chief security architect at Lacework.

On the heels of the Weight Watchers breach in which a Kubernetes console was left exposed on the web without password protection, the report is a reminder that organizations embracing the new technologies underlying modern IT infrastructure – public clouds, virtual machines, containers and API-based environments – need to continuously validate the configuration of their cloud resources for security best practices.

“Cloud misconfigurations are completely avoidable if organizations proactively monitor their cloud computing environments. The incident at Weight Watchers is just another reminder for organizations to ratchet up their compliance and security posture in the cloud,” said Varun Badhwar, CEO and co-founder, RedLock. "Cloud resources should be automatically discovered when they’re created and monitored for compliance across all cloud environments. Further, organizations should implement policy guardrails to ensure that resource configurations adhere to industry standards."

Categories: Cyber Risk News

F-Secure Make Acquisition Bid for MWR Infosecurity

Mon, 06/18/2018 - 11:45
F-Secure Make Acquisition Bid for MWR Infosecurity

F-Secure is set to acquire consultancy and research company MWR Infosecurity.

Calling the acquisition “a significant milestone in the execution of F-Secure’s growth strategy,” the move will see F-Secure gain a number of leading cybersecurity researchers, and also MWR’s products and services including the threat hunting platform Countercept and its suite of managed phishing protection services Phishd.

F-Secure CEO Samu Konttinen said: “I’m thrilled to welcome MWR InfoSecurity’s employees to F-Secure. With their vast experience and hundreds of experts performing cybersecurity services on four continents, we will have unparalleled visibility into real-life cyber-attacks 24/7.

“This enables us to detect indicators across an incredible breadth of attacks so we can protect our customers effectively. As most companies currently lack these capabilities, this represents a significant opportunity to accelerate F-Secure’s growth.”

MWR InfoSecurity CEO Ian Shaw, who will join F-Secure’s Leadership Team after the closing of the transaction in July, said: “We’ve always relied on research-driven innovations executed by the best people and technology. This approach has earned MWR InfoSecurity the trust of some of the largest organizations in the world. We see this approach thriving at F-Secure, and we look forward to working together so that we can break new ground in the cybersecurity industry.”

The acquisition of MWR follows a series of acquisitions in the past of services companies, which security researcher Mike Kemp from Xiphos Research highlighted on Twitter

Security analyst Bob Tarzey told Infosecurity that as both F-Secure and MWR are Europe-based companies, this is not about extending global reach, although their market penetration is complementary to some extent.

“F-Secure will get three things: a managed security service provider capability, better enterprise reach (to date F-Secure has been more consumer/SMB focused) and some complimentary capabilities,” he said.

“Cisco’s 2015 acquisition of Portcullis was also a services play, and yes, as cybersecurity involves, all the main players need more services as well as product capabilities.”

Categories: Cyber Risk News

Europol Disrupts Rex Mundi Cybercrime Group

Mon, 06/18/2018 - 09:53
Europol Disrupts Rex Mundi Cybercrime Group

Europol has taken major steps to disrupting a long-running global cybercrime group after eight arrests in the past year including one in Thailand announced last week.

The international operation supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT) was begun after an unnamed UK company was hit by a major cyber-attack in May 2017.

That attack was claimed by the infamous Rex Mundi group. A French-speaking member of the group called Europol following the incident to demand a €580,000 ransom in Bitcoin for non-disclosure of the customer data stolen or over €825,000 for information on how the group compromised the firm’s systems.

However, the UK Metropolitan Police, the French National Police (High Tech Crime Unit Central Office OCLCTIC-DCPJ) and Europol sprung into action and a month later five people were arrested by the French authorities.

This was followed by two more arrests in France in October last year and now the eighth arrest by the Royal Thai Police of a “French national with coding skills.”

“This case illustrates that cyber-related extortion remains a common tactic among cyber-criminals, as identified in the IOCTA 2017 [Internet Organised Crime Threat Assessment report],” said Europol. “As indicated in the report, for such financially motivated extortion attempts, attacks are typically directed at medium-sized or large enterprises, with payment almost exclusively demanded in Bitcoins.”

This is the kind of cross-border law enforcement co-operation that some experts have warned may become harder following Brexit.

The UK is dependent on the EU to help protect its security interests – including those in cyber-space. If it leaves, the UK might be able to renegotiate an agreement on info-sharing but it won’t have the benefits it currently has, such as direct access to the Europol database, or “the ability to involve itself into our intelligence projects and many other areas,” Europol director, Rob Wainright, said in February 2016.

Categories: Cyber Risk News

US-CERT Uncovers North Korean Typeframe Malware

Mon, 06/18/2018 - 09:28
US-CERT Uncovers North Korean Typeframe Malware

The US-CERT has issued a new alert warning organizations of a fresh North Korean malware threat, a trojan linked to the Hidden Cobra APT group.

The latest Malware Analysis report was compiled by researchers at the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), working with other partners in the government.

The 11 malware samples listed in the report feature executables which “have the capability to download and install malware, install proxy and Remote Access Trojans (RATs), connect to command and control (C2) servers to receive additional instructions, and modify the victim's firewall to allow incoming connections.”

The majority are RC4 encrypted RATs designed to download and delete files, and proxy modules which open the Windows Firewall on victim machines to allow incoming connections.

The report claims that the so-called “Typeframe” malware is related to Hidden Cobra, an APT group linked last year by the CERT to the North Korean government.

The news comes hot on the heels of diplomatic efforts to improve ties with Pyongyang which resulted in the meeting of President Trump and Kim Jong-un last week.

However, North Korean hackers have long been blamed as a persistent state-sponsored hacking threat to the world. Government operatives are thought to have launched the WannaCry ransomware worm that did so much damage in May 2017.

Plus, the infamous North Korea-linked Lazarus Group was pegged among other attacks for the $81m raid on Bangladesh Bank and the devastating info-stealing and destructive malware attack on Sony Pictures Entertainment.

Advice from the US-CERT on mitigating the Typeframe threat includes keeping patches and AV up-to-date, disabling file and printer sharing services, restricting user permissions, enforcing strong passwords and firewalls on each workstation, scanning emails for suspicious attachments and monitoring web browsing.  

Categories: Cyber Risk News

Ex-FBI Boss Comey Used Personal Email for Official Business: Report

Mon, 06/18/2018 - 08:48
Ex-FBI Boss Comey Used Personal Email for Official Business: Report

Former FBI director James Comey used his personal email account to conduct official business, despite investigating Hillary Clinton for the same security oversight, a new report has revealed.

The long-awaited The Justice Department inspector general report was released late last week. It details the FBI’s handling of the investigation into Clinton’s use of a private email server when secretary of state, something that was used by Donald Trump to cast doubt on her suitability as a presidential candidate.

“We identified numerous instances in which Comey used a personal email account to conduct unclassified FBI business,” the report revealed. “We found that, given the absence of exigent circumstances and the frequency with which the use of personal email occurred, Comey’s use of a personal email account for unclassified FBI business to be inconsistent with Department policy.”

Comey apparently forwarded official emails to his personal webmail address when he wanted to work on an unclassified document which would be widely distributed: such as a speech or an FBI-wide missive.

As such, the former FBI boss claimed he had no concerns over the breaking of department policy “because there will always be a copy of it in the FBI system and I wasn't doing classified work there.”

Incredibly, Comey claimed the practice was necessary because he didn’t have an unclassified FBI connection at home that worked, and no one thought to fix it.

That betrays a serious failure of cybersecurity best practice at an institution that ought to know better.

Clinton responded with a short deadpan tweet: “But my emails.”

She has gone on record in the past as claiming that Comey’s investigation into the affair – and his reopening of that investigation just days before voters went to the polls, before closing it again – helped to cost her the presidency.

Ironically, several White House officials in the Trump administration have been accused of using personal email accounts for government business.

Categories: Cyber Risk News