Info Security

Subscribe to Info Security  feed
Updated: 3 min 41 sec ago

US Confirms Huawei CFO Extradition Plans

Wed, 01/23/2019 - 10:56
US Confirms Huawei CFO Extradition Plans

US officials have confirmed their intention to formally extradite Huawei CFO Meng Wanzhou from Canada to face criminal charges, according to reports.

Meng, who is also the daughter of founder Ren Zhengfei, was arrested in Vancouver on December 1 last year at the request of Washington.

A statement from the Department of Justice confirmed that the US plans to meet the 60-day deadline for filing a formal extradition demand, which runs to January 30.

“We will continue to pursue the extradition of defendant Ms. Meng Wanzhou, and will meet all deadlines set by the US/Canada Extradition Treaty,” said DoJ spokesman Marc Raimondi, in the reported statement. “We greatly appreciate Canada’s continuing support of our mutual efforts to enforce the rule of law.”

The news will likely inflame Sino-Canadian diplomatic relations as Beijing continues to lambast Ottowa for what it sees as a geopolitical decision, while Justin Trudeau’s government stands firm on the rule of law.

Beijing has apparently retaliated by arresting two Canadians on suspicion of spying.

It is alleged that Meng participated in a conspiracy at the telecoms equipment giant to trick US banks into breaking sanctions on Iran. This was apparently done by pretending that subsidiary Skycom was not connected to the Shenzhen firm.

Although Huawei has repeatedly claimed it does not represent a national security risk, governments around the world are getting cold feet, following America’s lead in sidelining its role or banning outright its technology in upcoming 5G networks.

The UK is one of the few Five Eyes countries which has taken a fairly liberal stance with the Chinese firm, although an official change in its policy could be on the cards.

Back in November the government reminded 5G network providers to ensure their suppliers are heavily vetted for security.

In a rare appearance, MI6 boss Alex Younger said in December: “We need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a quite definite position.”

Categories: Cyber Risk News

Security Boffins Block 100K Malicious Sites in 10 Months

Wed, 01/23/2019 - 10:21
Security Boffins Block 100K Malicious Sites in 10 Months

Hundreds of security researchers have come together in a global non-profit project, working to take down 100,000 malicious websites in just 10 months.

Revealed on Monday, the stats are testament to the power of information sharing among the information security community and hosting providers, when they work together to fight a common foe, according to

The non-profit’s URLhaus project saw 265 researchers work together to identify and submit 300 malware sites each day over the period. This makes it easier for hosters to spot and remediate any bad domains on their networks.

“This is not an easy task, especially for large hosting providers that have tens of thousands of customers and hence a significant amount of hijacked websites in their network that are getting abused by cyber-criminals to distribute malware,” the non-profit explained.

However, despite its early success, there’s still a long way to go. URLhaus claimed to observe 4-5000 active malware distribution sites every day, and that they stay active for over eight days on average, potentially infecting thousands of devices in the process.

In China, things are even worse: the three top malware hosting networks have an “average abuse desk reaction time” of over a month.

Of the 380,000 malware samples collected by the project over the past 10 months, Emotet/Heodo was the most common.

“Emotet gets propagated through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious Office document with macros. Once the victim opens the document and enables macros, it will automatically download and execute Emotet from a comprised website,” explained.

“To bypass spam filters, these malspam campaigns sometimes point to a compromised website that hosts the malicious Office document instead of attaching it to the email directly. To dismantle these campaigns and prevent that users are getting infected with Emotet, it is essential that the associated malware distribution sites are getting cleaned up in time by the responsible hosting provider.”

The group urged national CERTs, ASN operators and TLD owners to subscribe to the free URLhaus feed and implement its free block lists.

Categories: Cyber Risk News

DHS Emergency Directive Looks to Block Iranian DNS Threat

Wed, 01/23/2019 - 09:49
DHS Emergency Directive Looks to Block Iranian DNS Threat

The US Department of Homeland Security (DHS) has taken the unusual step of issuing an emergency directive demanding government agencies take urgent action to protect DNS infrastructure, in response to a major attack campaign.

The Mitigating DNS Infrastructure Tampering directive was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and details the modus operandi of recently reported Iranian activity designed to intercept and redirect web and mail traffic.

The attackers are said to obtain or compromise user credentials to make changes to DNS records, directing users to their own infrastructure for “manipulation or inspection” before sending them on to the legitimate service.

“Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names,” the directive continued. “This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.”

This activity has been observed affecting multiple domains run by executive branch agencies, it claimed.

CISA is demanding all agencies audit their DNS records on all .gov and related domains within 10 days to see if they resolve to the intended location, and report any that don’t.

It also wants users to update passwords for any accounts that can change DNS records, and implement multi-factor authentication (MFA) for these, again within the 10-day timeframe.

CISA also gave notice of a new Certificate Transparency initiative which agencies will have to participate in, by monitoring any log data for issued certificates that they didn’t request.

The urgent nature of the directive points to its criticality at a time when the government remains mired in the longest shutdown on record over President Trump’s border wall demands.

In early January, FireEye detailed the cause of the problem, a global DNS hijacking campaign traced back to Iran targeting “dozens” of domains run by government, telecommunications and internet infrastructure providers in the Middle East and North Africa, Europe and North America.

It’s thought that confidential information from Middle East governments may be the ultimate target of the operation.

Categories: Cyber Risk News

Servers Grab Client Files via MySQL Design Flaw

Tue, 01/22/2019 - 17:22
Servers Grab Client Files via MySQL Design Flaw

Attackers can potentially run a malicious MySQL server and gain access to connected data, according to a new security alert.

MySQL has issued a security notice resulting from issues with the LOAD DATA LOCAL, noting that the “statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.”

The design flaw exists in the file transfer interaction between a client host and a MySQL server, according to BleepingComputer. Leveraging this attack would allow a malicious actor to steal sensitive information from a web server that is not properly configured either by enabling connections to untrusted servers or from database management applications.

According to the security notice, there are two potential security concerns. “The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)”

In a January 20 blog post, security researcher Willem de Groot responded to the security notice’s claim that this flaw could be leveraged “in theory,” noting that “an Evil Mysql Server which does exactly that can be found on Github, and was likely used to exfiltrate passwords from these hacked sites. And could be used to steal SSH keys and crypto wallets, as interfail points out.”

“Although this may not sound critical, since most users are not easily fooled into connecting to an attacker's mySQL server, there are in fact many web servers with exposed database management interfaces that allow attacker initiated connections to arbitrary servers,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team (VERT).

“Website administrators must be aware that such pages, even when not linked to other content, may be discovered and abused by attackers. Administration tools like Adminer should not be left unprotected in any circumstances.”

Categories: Cyber Risk News

Two Elasticsearch Databases Found Unprotected

Tue, 01/22/2019 - 16:43
Two Elasticsearch Databases Found Unprotected

After news broke that an Elasticsearch server belonging to several online casinos was left without a password, independent security researcher Bob Diachenko discovered another unprotected Elasticsearch database from AIESEC, a global, youth-run nonprofit.  

A database breach exposed more than four million intern applications with personal and sensitive information on a server without a password. The database reportedly contained information included in applications that had been tagged as "opportunity applications" for AIESEC internships and "included sensitive information as email, full name, DOB, gender, plus a detailed description on their intentions for applying for AIESEC as well as interview details,” according to Diachenko’s blog post on SecurityDiscovery.

“Basically, AIESEC was using software that is great for giving their staff access to money-making data, but they focused far too little on protecting the data,” said LUCY Security CEO Colin Bastable.

“GDPR penalties apply to the global revenues of virtue-signaling nonprofits just as much as they do to their virtue-seeking corporate sponsors. I suspect they will get a slap on the wrist, and the IT budget will be invested appropriately in keeping Laurin Stahl out of the IT security press next year. There is probably a significant proportion of nonprofits that are vulnerable in this way, so they should take this as a warning to get serious about securing consumer data. The message for consumers is [that] you can’t trust any organization with your personal data, even if they are driven by the most noble ideals, so share with care.”

This is the second misconfiguration in an Elasticsearch database disclosed this week. News also broke that a password-less Elasticsearch server belonging to a variety of online casinos had compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more.

The payment card details indexed in the server were partially redacted, however, suggesting that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline on January 21, making it no longer accessible.

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks, such as the VOIPo and Oklahoma Securities Commission’s latest incidents,” said Mark Weiner, CMO, Balbix.

He continued, “108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.”

Categories: Cyber Risk News

Americans Feel Fated to Fall Prey to Cybercrime

Tue, 01/22/2019 - 14:32
Americans Feel Fated to Fall Prey to Cybercrime

Only a few days after the Senate Committee on Aging released a new report in which it found that seniors lose an estimated $2.9 billion each year to financial scams, the insolvency services of Nyman Lisbon Paul and the UK’s Driver and Vehicle Licensing Agency (DVLA) have issued scam alerts warning consumers to beware of cyber scams.

Two weeks ago, Infosecurity reported that 60% of consumers in the UK were leaving themselves vulnerable to scams, and today, Nyman Lisbon Paul tweeted a warning that “pension scam victims lost an average of £91,000 to criminals in 2018, Financial Conduct Authority (FCA) research recently revealed. Criminals often use cold-calls and offers of free pension reviews to convince their victims to comply.”

As scams become more commonplace, government agencies, organizations and concerned citizens are taking to social media to caution consumers about the myriad scams to which they could fall victim. One Twitter user posted:

In an effort to prevent people from falling victim to this and other scams, “DVLA is reminding customers that the only official place to find our services and information is on GOV.UK. Cyber scams are common so we want to help our customers to spot fraudulent activity.”

However, these warnings might be ineffective. According to a recently released report from ERP Maestro that examined the relationship Americans have with cybercrime and identity theft, 76% of Americans believe it is inevitable that they will fall victim to either identity theft or some form of cybercrime. As a result, 48% confess that they are not concerned about becoming a victim. The report found that when it comes to consumer attitudes and behaviors, 57% of Americans believe that if something happens, the damage will be reversed.

In addition, 68% of Americans feel that there is little to nothing they can do to prevent falling victim to cybercrime. Those habits can be potentially dangerous for companies that employ people who don’t take cybersecurity seriously.

"While our mission is to protect companies from cybercrime on the inside, we wanted to examine how concerned people are about cybercrime in their personal life to see if cyber safety is practiced similarly professionally," said Jody Paterson, founder and CEO of ERP Maestro, in a press release.

"Good cybersecurity habits should be practiced at both work and home, but these responses may indicate that the same beliefs and behaviors on cybercrime are also brought into the workplace, and that is a huge risk for companies."

Categories: Cyber Risk News

Dark Web Drug Dealers Get 43 Years

Tue, 01/22/2019 - 11:24
Dark Web Drug Dealers Get 43 Years

Three dark web drug dealers have been sentenced to a total of over 43 years for supplying hundreds of customers worldwide with notorious opioid fentanyl.

Jake Levene, 22, Lee Childs, 45, and Mandy Christopher Lowther, 21, were sentenced last week at Leeds Crown Court after pleading guilty to exporting and supplying class A drugs.

The group mixed fentanyl and its analog carfentanyl with bulking agents at an industrial unit in Leeds before selling them on sites like Alpha Bay under the name “UKBargins,” according to the National Crime Agency (NCA).

It’s unclear how they were brought to justice, although the trio were arrested in April 2017, less than three months before the Alpha Bay and Hansa takedowns. When policed raided the unit, a laptop was found displaying the UKBargins store on Alpha Bay.

Childs was apparently caught on CCTV in a Post Office mailing hundreds of packages of drugs to customers worldwide including as far afield as Australia, Argentina and Singapore.

Between December 2016 and April 2017 the three are said to have turned over £163,474 — selling 2853 items to 443 customers worldwide including 172 in the UK.

During the raid, 2.6kg of carfentanyl was recovered including a packet of 440g pure carfentanyl, the largest such seizure of its kind in Europe, according to the NCA.

The drug is said to be 10,000-times more potent than morphine, while fentanyl is up to 10-times stronger. Both have been linked to countless deaths over recent years.

“Fentanyl and carfentanyl are extremely potent, the latter having no medical uses for humans. Not only is it potentially lethal for those taking it, these drugs pose a serious danger to all those that come into contact with them, be that first responders like law enforcement and medical staff, or in this case, postal staff,” said NCA senior investigating officer, Graham Roberts.

“The lengthy jail terms handed down to them today are a reflection on their dangerous and careless actions.”

Categories: Cyber Risk News

Active Cyber Defence Should Be Rolled Out UK-Wide: Report

Tue, 01/22/2019 - 10:48
Active Cyber Defence Should Be Rolled Out UK-Wide: Report

The UK government’s highly successful Active Cyber Defence (ACD) program should be rolled out across other sectors to improve national cybersecurity, and could even be spurred by the government naming and shaming laggards, according to a new report.

The Cyber Security Research Group at King’s College London (KCL) argued that the ACD has done well in reducing low-level cybercrime against government services.

“There are no significant technical obstacles to extending these protections beyond the public sector and no fundamental reasons why ACD tools and techniques should not be tested and deployed as appropriate,” it claimed.

The report urged stakeholders to actively engage with the government via the National Cyber Security Centre (NCSC) to make this a reality.

It could also be a competitive differentiator for organizations in the future, the report claimed, adding that greater transparency in this area would help consumers decide which ones to trust, while incentivizing firms to improve.

“There will need to be careful calibration of ‘sticks and carrots’ to encourage industry and others to adopt ACD where possible but the existing buy-in of major companies and industry bodies will assist greatly in this process,” the report claimed.

“NCSC has no legal power to mandate ACD in any circumstance, nor does it seek it, so all progress in this area must be based on high standards of transparency, partnership and public reporting, particularly given NCSC’s status as part of GCHQ.”

ACD could even be exported abroad, helping to enhance the UK’s reputation and build out international partnerships, KCL claimed.

Launched in 2016, ACD includes several complementary elements: a takedown service designed to remove malicious content spoofing government domains; DMARC implementation to improve email security; Web Check to test government websites for vulnerabilities; and a Public Sector DNS service to prevent employees being directed to malicious sites.

After just a year of operation the program had enabled the removal of 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK, and 18,000 more sites internationally. Government domains supporting DMARC rose from just over a quarter to nearly 39%, while Web Check produced 4,108 advisories for customers, covering a total of 6,218 different issues.

During 2017, 3TB of DNS data was analysed for security threats, with over 134,000 unique queries blocked.

“The Active Cyber Defence program has been a huge success in protecting government agencies — and those who use them — from cyber threats. Our research finds that it could be legally, cheaply and efficiently rolled out beyond the public sector, to further protect people online,” said Tim Stevens, convenor of KCL’s Cyber Security Research Group.

“Greater transparency around the level of cybersecurity employed by businesses and other organisations will motivate them to adopt ACD measures that will keep users and their data safe.”

Categories: Cyber Risk News

Google’s €50m GDPR Fine Heralds a New Era

Tue, 01/22/2019 - 10:25
Google’s €50m GDPR Fine Heralds a New Era

In the first major regulatory action of the GDPR era, Google has been fined €50m ($57m, £44m) in France for failing to notify users about how their data is used.

French regulator CNIL issued the fine this week after complaints by two rights groups, noyb and La Quadrature du Net (LQDN), one of which was filed on the day the new legislation came into force.

CNIL claimed it observed two breaches of the GDPR.

First, Google violated the obligation of transparency because “essential information” on how users’ data is processed to personalize ads is spread out across multiple documents. In addition, some of the info “is not always clear nor comprehensive,” the regulator said.

Second, Google did not have a legal basis to process data for ad personalization because user consent was not validly obtained. The reason for this, again, is that user consent is not sufficiently informed, given the difficulty of locating the relevant info across numerous documents.

Also, when creating a Google account, the user must click through to modify options, with the ad personalization box pre-ticked: another no-no in the GDPR era.

The case relates specifically to the creation of a Google account on Android. Although Google’s European headquarters is in Ireland it was decided the local data protection authority there did not have a decision-making power over the OS and services.

“This is the first time that the CNIL applies the new sanction limits provided by the GDPR,” the French regulator concluded. “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”

Google reportedly said it is “studying the decision” before deciding on what to do next.

AlienVault security advocate, Javvad Malik, argued that organizations dealing with customer data need to ask themselves two questions.

“First, what purpose the data is being used for and for how long? Secondly, have the users truly given informed consent? If the answer to either is unclear, then they should not go ahead with it," he said.

Ron Moscona, a partner at the international law firm Dorsey & Whitney, said the fine was a warning shot across the bows of the digital industry as a whole.

“The data obtained from users can be hugely valuable. Consent can be a significant hurdle to harvesting that data. Business models are evolving, and companies are beginning to learn what regulators in the EU expect," he added.

“"This result is more proof that the GDPR presents a hurdle to the way companies collect and monetize data on the internet.  We’ve seen these companies evolve before to deal with regulation, and penalties such as CNIL levelled here will undoubtedly inspire them to evolve even further.”

Categories: Cyber Risk News

Plexal Announces New International LORCA Partnerships

Tue, 01/22/2019 - 09:46
Plexal Announces New International LORCA Partnerships

Innovation center Plexal has announced new partnerships with the Global Cyber Alliance (GCA) and the New York Economic Development Corporation (NYCEDC) to boost international security cooperation at the London Office for Rapid Cybersecurity Advancement (LORCA), launched in June 2018 and hosted/delivered by Plexal.

LORCA was created with £13.5m of funding from the Department for Digital, Culture, Media & Sport to be the UK’s dedicated space for industry-led cybersecurity innovation, supporting the most promising cybersecurity innovators in scaling and growing solutions to meet the most pressing industry challenges.

The new partnerships will aim to help cybersecurity companies scale internationally while also expanding Plexal’s role as a major global cybersecurity cluster.

Andrew Roughan, managing director of Plexal, said: “Sharing knowledge and being open to cooperation between global cyber-innovators and industry is more important than ever. We’re looking forward to deepening our links with new global partners and acting as the UK landing pad and connector. These important partnerships with the New York Development Corporation and the Global Cyber Alliance will mean the emerging cyber stars we support can have even greater direct access to new markets and the networks they need to succeed.”

Andy Bates, GCA executive director for UK and EMEA, added that innovation and entrepreneurship are key to shoring up cyber-defenses. “GCA is pleased to partner with Plexal and LORCA and participate in their program to work with scaleups working on cybersecurity challenges,” he said.

James Patchett, president and CEO at the NYCEDC, outlined the company’s ambition to making “New York City a hotbed for cyber-innovation, to protect every New Yorker and every business – all while creating good-paying jobs. We’re proud to help launch this important challenge, which will benefit New York City and create game-changing technology for the world to share.”

Categories: Cyber Risk News

Global Firms Face $5tr in Cybercrime Losses

Mon, 01/21/2019 - 11:00
Global Firms Face $5tr in Cybercrime Losses

Global firms could lose over $5tr to cybercrime over the next five years, a new Accenture study has warned.

The consulting giant interviewed over 1700 CEOs and other C-suite executives to compile its report, Securing the Digital Economy: Reinventing the Internet for Trust.

It claimed that as businesses become more dependent on complex web-based models, their ability to innovate and grow securely cannot keep up.

In fact, over three-quarters (79%) claimed that the growth of the digital economy will be held back unless internet security is dramatically improved, while 59% said they don’t know how to react to growing instability.

Most at risk over the next five years are hi-tech companies, which could face losses of $753bn, followed by those in life sciences ($642bn) and automotive ($505bn).

Nearly four-fifths (79%) claimed their organization is adopting new technologies faster than they can secure them, while 80% said third-party threats are increasingly difficult to mitigate.

Only 30% of those polled said they were very confident in their own cybersecurity.

“Strengthening internet security requires decisive — and, at times, unconventional — leadership by CEOs, not just CISOs,” argued Accenture CMT lead, Omar Abbosh. “To become a cyber-resilient enterprise, companies need to start by bringing CISOs’ expertise to the board, ensuring security is built-in from the initial design stage and that all business managers are held responsible for security and data privacy.”

Over half of respondents (56%) said they’d welcome stricter business regulations in the cybersecurity sphere, while three-quarters (75%) claimed that addressing security concerns will require a group effort.

That’s why Accenture is recommending business leaders focus on improved collaboration with their peers, government officials and regulators, as well as improving baseline security across the supply chain.

“No organization can tackle the challenges posed by cyber-threats on its own; it’s a global challenge that needs a global response, and collaboration is key,” explained Accenture Security senior managing director, Kelly Bissell.

“To shape a future that thrives on a strong and trustworthy digital economy, senior executives need to look beyond the bounds of their organization, team with an ecosystem of partners, and secure their entire value chains — across every partner, supplier and customer.”

Categories: Cyber Risk News

DNC: Russian Hackers Targeted Staffers After Midterms

Mon, 01/21/2019 - 10:33
DNC: Russian Hackers Targeted Staffers After Midterms

The Democratic National Committee (DNC) has claimed that one of the same Russian hacking groups blamed for leaking sensitive information in 2016 targeted its employees again just days after the 2018 midterm elections.

In court documents filed at the weekend, the DNC said that the group known as Cozy Bear (aka APT29/The Dukes) posed as a State Department official in spear-phishing emails sent to dozens of its employees.

The emails were booby-trapped with a malware-laden PDF designed to provide access to the victim’s machine.

“In November 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the filing noted.

“The content of these emails and their timestamps were consistent with a spear-phishing campaign that leading cybersecurity experts have tied to Russian intelligence. Therefore, it is probable that Russian intelligence again attempted to unlawfully infiltrate DNC computers in November 2018.”

The revelations are part of a civil suit filed by the DNC against the Kremlin, Julian Assange and WikiLeaks, the Trump campaign, and others. It details an alleged conspiracy to win Trump the presidency by stealing sensitive DNC documents and leaking them ahead of the 2016 election.

The Kremlin has already argued for it to be thrown out, claiming that even if it did hack the DNC, this activity would fall under military operations and therefore be immune from civil claims.

In July 2018, special counsel Robert Mueller indicted 12 alleged Russian intelligence officers for their part in this 2016 operation.

That followed a February charge against 13 Russian nationals and three Russian companies for the alleged role they played in online disinformation and influence campaigns ahead of the election.

Categories: Cyber Risk News

Collection #1 Data Dump the “Tip of the Iceberg”

Mon, 01/21/2019 - 09:50
Collection #1 Data Dump the “Tip of the Iceberg”

A recently discovered trove of breached data is just a small part of a major 871GB haul up for sale on the dark web which could contain billions of records, according to experts.

The 87GB Collection #1 dump was first publicized late last week when noted researcher Troy Hunt was alerted to the files hosted on a popular cloud site. After cleaning up the data he found it contained nearly 773 million unique email addresses and over 21 million “dehashed” passwords.

It has since emerged that this data is two to three years old, gathered from multiple sources, and that the same seller, dubbed ‘Sanixer’ on Telegram, has much more recently obtained data to sell.

Authentication security vendor, Authlogics, claims to have the data from Collection #2, 3, 4, and 5 in its possession and is loading it into its breached password database.

It estimates the new trove of data comes to roughly 784GB, nine-times the size of Collection #1, and could contain over seven billion records in its raw state.

In fact, Sanixer may have even more breached and leaked data to sell: the cyber-criminal told researcher Brian Krebs that taken together, all the other packages they have up for sale are less than a year old and total over 4TB in size.

These include one dubbed “ANTIPUBLIC #1” and another titled “AP MYR&ZABUGOR #2.”

The bottom line is that users need to invest in password managers to store and support long-and-strong unique credentials for all the main sites/accounts they have online, and to opt for multi-factor authentication where it’s available.

One security vendor warned in its 2019 predictions report at the end of last year that credential stuffing tools would become increasingly popular among the black hat community as they look to monetize troves of breached data.

“Because of the volume of data breaches in the past years and the likelihood that cyber-criminals will find a lot of users recycling passwords across several websites, we believe that we will see a surge in fraudulent transactions using credentials obtained by cyber-criminals from data breaches,” Trend Micro claimed.

“Cyber-criminals will use breached credentials to acquire real-world advantages such as registering in mileage and rewards programs to steal the benefits. They will also use these accounts to register trolls on social media for cyber-propaganda, manipulate consumer portals by posting fake reviews, or add fake votes to community-based polls — the applications are endless.”

Categories: Cyber Risk News

New Year, New Features for Fallout EK

Fri, 01/18/2019 - 19:15
New Year, New Features for Fallout EK

The new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura.

The Fallout exploit kit (EK) took a little respite over the first few weeks of 2019, but it has returned, this time using CVE-2018-15982, along with HTTPS support, a new landing page format, and Powershell to run its payloads. In addition, Seguara said the team has seen an increase in RIG EK campaigns, which he suspects might have been an effort to fill that temporary void.

As the malware has returned to business, it continues to spread using malvertising chains. In September 2018, FireEye wrote that the Fallout EK was discovered affecting mostly countries in the Asia Pacific region. Though it did distribute SmokeLoader in Japan, the malware then shifted to dropping GandCrab in the Middle East.

When the malware was detected again in October 2018, the EK was being used in the HookAds campaign, which delivered victims to a fraudulent dating page, according to, which also noted that the first payload was the Minotaur ransomware, followed by AZORult during the second and third runs.  

Since Fallout EK's return, Malwarebytes researchers have discovered the malware is delivering the GandCrab ransomware, though it delivers its payload via Powershell, as opposed to iexplore.exe. “This technique is most likely an attempt at evasion, as traditionally we’d expect the Internet Explorer process to drop the payload,” Segura wrote.

"What this new development tells us is that exploit kit developers are still monitoring the scene for new exploits and techniques," he continued. "In 2018, several zero-days for Internet Explorer and Flash Player were found and turned into easily adaptable proofs of concept. Even though the market share for IE and Flash continues to drop, there are many countries still running older systems where the default browser is Internet Explorer.”

Categories: Cyber Risk News

Malware Evades Detection One Step at a Time

Fri, 01/18/2019 - 18:40
Malware Evades Detection One Step at a Time

Malicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps.

Both the currency converter and the battery-saving app have been removed from Google Play, but not before they were downloaded thousands of times. The battery app, BatterySaverMobi, even had 73 reviews resulting in a 4.5 star rating, making it appear all the more legitimate.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to known Anubis samples. And we also saw that it connects to a command and control (C&C) server with the domain, which is linked to Anubis as well,” researchers wrote.

The apps were reportedly able to evade detection by using the device's motion sensor data.

The malware authors assume that the device is scanning for malware, so they created an emulator with no motion sensors that monitors the user’s steps so that they check for sensor data to determine whether the app is running in a sandbox environment. If it is, the malicious code does not run.

If it does run, though, the user receives a fraudulent prompt, alerting them that a system update is available.

“Here’s more proof that criminals are following users to mobile devices and investing more time and effort in attempting to exploit them. As hard as organizations might work to secure their customers’ mobile experiences, attackers work just as hard to innovate and find ways to take advantage,” said Sam Bakken, senior product marketing manager, OneSpan.

“This is why it’s imperative to give app developers a leg up with one-stop mobile app security tools that allow them to build security into mobile apps from the start, which will save them time and effort and save financial institutions and other purveyors of high-value mobile services money in terms of reduced fraud and maintaining consumer trust in their brand. In addition, meeting attackers’ innovations with mobile app security innovations such as App Shielding – which proactively detects and defends against a variety of nefarious activities executed by mobile banking Trojans such as this one – is another step in the right direction for what will be an ongoing battle.”

Categories: Cyber Risk News

Hackers Use PayPal to Phish with Ransomware

Fri, 01/18/2019 - 18:11
Hackers Use PayPal to Phish with Ransomware

A new strain of yet another ransomware campaign has been discovered in which the malicious actors have expanded payment options beyond Bitcoin; they are instead offering alternatives (such as PayPal) that include a phishing link, according to MalwareHunterTeam.

Attackers are stealing a page from Daedalus and are killing two birds with one stone by including a link to make a payment. To obtain the decryption key, victims can follow the link to the PayPal phishing page, where their login credentials are stolen. The combination of two threat vectors makes this attack particularly dangerous for unsuspecting victims.

Credit: MalwareHunterTeam

The new attack method combines “a ransom note that direct victims to a PayPal phishing page...Clicking on the Buy Now button, it directs to the credit card part of the phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished,” the team tweeted. Once that payment is processed, the victim receives a confirmation.

For victims who pay with Bitcoin, the threat actors also requested that victims send an email with a reference number, which is provided in the ransom.

“Malicious actors are continually becoming more sophisticated. With this particular campaign involving phishing as an immediate follow-up threat vector to the ransomware, this attack has the potential to cause significant harm,” said DomainTools’ senior security adviser, Corin Imai.

“Not only will victims be dealing with the impact of ransomware, but many will also be directed to a carefully crafted phishing site that will attempt to steal their credentials. As seen in past attacks, ransomware campaigns have targeted individuals with the threat of releasing compromising content or rendering their computers useless, leaving victims feeling that they have no choice but to pay up. The best advice in this scenario is to be hyper-vigilant, double-check URLs, and when in doubt, don’t click.”

Categories: Cyber Risk News

CyberFirst Girls 2019 Kicks Off Next Week

Fri, 01/18/2019 - 11:37
CyberFirst Girls 2019 Kicks Off Next Week

The third annual CyberFirst Girls competition will kick off on Monday as GCHQ looks to help address a chronic gender imbalance and skills shortage in the industry.

Over the past two years, the intelligence service’s National Cyber Security Centre (NCSC) has managed to attract 12,500 female pupils from schools across the UK to take part.

Teams of up to four plus a teacher or mentor can enter, with girls in Year 8 in England and Wales, S2 in Scotland and Year 9 in Northern Ireland (12-13-years-old) able to participate.

They’ll face a week of online challenges in four key areas — cryptography, cybersecurity, logic and coding and networking — with the top 10 teams competing face-to-face at a grand final in Edinburgh in March.

Participants are also able to apply for a place on CyberFirst Girls Defenders: free four-day residential and non-residential courses taking place in April-May and designed to teach further skills in how to build and protect small networks and personal devices.

James Hadley, CEO of Immersive Labs, welcomed the initiatives as helping to encourage a new generation of cybersecurity talent.

"In my experience, men and women have distinctly different approaches to problem-solving in cyber. Women are typically more methodical — which allows them to take a long-term and determined approach to finding a resolution and complements men's slightly faster-moving approach,” he added.

“In the long term, this initiative will also set the groundwork for building a network of like-minded people to encourage and support one another when starting out in the space.”

Attracting more gender diversity into the information security industry has been a challenge for years. Today just 24% of the global workforce are women, yet the sector as a whole suffers from shortages reaching nearly three million professionals.

Government figures published in December last year claimed that over half (57%) of all UK firms and charities have a “basic technical cybersecurity skills gap.”

It’s a situation predicted to get worse if the UK leaves the European Union as it has signaled this year.

Last month, the government released a new skills strategy in an effort to reduce skills shortfalls and promised new UK Cyber Security Council will receive £2.5m of public funding to help in its mission to “lay the structural foundations” of the profession.

However, it has been criticized in the past by MPs, for failing to address the immediate challenges facing businesses in the critical national infrastructure sector.

Categories: Cyber Risk News

Facebook Disrupts New Russian Disinformation Campaign

Fri, 01/18/2019 - 10:53
Facebook Disrupts New Russian Disinformation Campaign

Facebook has removed hundreds of fake Pages and accounts after spotting a coordinated effort by Russian state-linked actors to spread disinformation in Ukraine and other former Soviet countries.

There were two linked campaigns: the first targeting Romania, Latvia, Estonia, Lithuania, Armenia, Azerbaijan, Georgia, Tajikistan, Uzbekistan, Kazakhstan, Moldova, Russia and Kyrgyzstan.

Although purporting to be independent or general interest Pages on topics ranging from weather and travel to politics, they were actually run by employees of Kremlin news agency Sputnik, according to Facebook’s head of cybersecurity policy, Nathaniel Gleicher.

The 289 fake Pages and 75 spoof accounts posted disinformation on local corruption and protests, and anti-NATO sentiment, spending $135,000 on ads, hosting 190 events and attracting 790,000 followers.

Facebook also removed 107 Pages, Groups and accounts and 41 Instagram accounts for similar “coordinated inauthentic behavior” targeting Ukrainians. Account holders pretended to be regular Ukrainian netizens, attracting 180,000 followers and spending $25,000 on ads.

This campaign apparently shared similar characteristics to the disinformation blitz carried out by the Internet Research Agency (IRA) ahead of the US mid-terms last year and the 2016 presidential election.

“We’re taking down these Pages and accounts based on their behavior, not the content they post. In these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action,” said Gleicher.

“While we are making progress rooting out this abuse, as we’ve said before, it’s an ongoing challenge because the people responsible are determined and well-funded.”

The accounts effectively promoted Sputnik content and that of its parent company, state-run Rossiya Segodnya, whilst hiding its true source. The effect was to increase Sputnik’s reach in the countries covered by 170%, according to the Digital Forensic Research Lab.

“Most posts were apolitical, but some, especially in the Baltic States, were sharply political, anti-Western, and anti-NATO,” the body said.

Categories: Cyber Risk News

DoJ Prepping Criminal Probe of Huawei IP Theft: Report

Fri, 01/18/2019 - 10:15
DoJ Prepping Criminal Probe of Huawei IP Theft: Report

Things could be about to get even worse for Huawei after a report claimed the US Department of Justice is readying an indictment against the firm for IP theft against global partner companies.

One of these is T-Mobile. That case has already been tried in a civil court in 2017, with a federal jury in Seattle siding with the US mobile carrier in finding Huawei liable for the theft of robotic technology it was developing.

The incident happened in 2014, when a Huawei engineer stole part of T-Mobile’s smartphone testing “Tappy” robot, whilst visiting its Bellevue lab as an industry partner.

Now the DoJ is reportedly flexing its muscles, with a criminal investigation into more widespread IP theft by the Shenzhen giant. An indictment could come soon, a person familiar with the matter told the WSJ.

It comes as CFO and daughter of Huawei’s founder, Meng Wanzhou, remains under house arrest in Vancouver awaiting extradition to the US.

This is said to be linked to another criminal investigation, into whether she conspired to trick US banks into unwittingly breaking sanctions on Iran by claiming Huawei subsidiary Skycom was a separate business.

All this comes as governments around the world continue to reassess whether Huawei represents a national security risk as a provider of 5G network equipment.

Although it has protested its innocence on numerous occasions, claiming it’s a victim of geopolitics, the US, New Zealand, Australia, Japan and others have banned or are restricting the firm.

In Poland, the government is mulling whether to change the law to do the same after a sales director in the country was arrested on suspicious of spying.

The German government this week became the latest to consider a ban on Huawei 5G products on national security grounds.

With 5G set to play a key role in critical infrastructure for years to come, the fear is that Huawei may be forced to do the bidding of the Chinese government in the future to provide it with a strategic advantage.

Categories: Cyber Risk News

Attackers Leverage Open Source in New BYOB Attack

Thu, 01/17/2019 - 15:37
Attackers Leverage Open Source in New BYOB Attack

An attack leveraging the open-source Build Your Own Botnet (BYOB) framework has reportedly been intercepted by Israeli cybersecurity firm Perception Point’s incident response team. According to the team, this appears to be the first time the BYOB framework has been found to be used for fraudulent activity in the wild.

While these tactics and techniques have historically been limited in used to financially backed advanced persistent threat (APT) groups, they are now more easily accessed by novice criminals, in part because of the more widespread popularity of plug-and-play hacking kits, researchers said.

In July, a BYOB framework that implements all the building blocks needed to build a botnet was developed to improve cybersecurity defenses; however, what is used by defense can also fall into the hands of those with more malicious intentions. The continued growth of these hacking kits allows any script kiddie or malicious attacker to leverage this framework and carry out attacks that otherwise wouldn’t be possible.

According to the team’s email analysis, victims received an email with an HTML attachment containing both a link to a phishing site impersonating the Office 365 login page and script code that automatically downloaded malware to the victim’s computer. The payload then awaits command after connecting to the attackers server.

Credit: Perception Point

“The attack we intercepted was a targeted email attack against one of our clients. It was distributed via the email channel so the extent of it is to whomever the attacker chose to send it to. The nature of the tool [BYOB] used in the attack is mass remote control; therefore, we presume that this wasn't a single email sent, and we expect that others might have been compromised by this attack as well,” said Shlomi Levin, co-founder and CTO, Perception Point.

“The attack was easily prepared using the BYOB framework; hence, it doesn't cost the attacker much investment, so I would expect to see more BYOB used in the future.”

Categories: Cyber Risk News