Microsoft claims to have shut down six phishing domains associated with an infamous Kremlin-sponsored group linked to 2016 presidential election interference, as tensions rise ahead of the mid-terms in November.
In a lengthy blog post, president Brad Smith said that Microsoft has increasingly been called upon to disrupt activity from the group, which was blamed by intelligence services for the theft and subsequent dissemination of sensitive Democratic Party data in the run up to the last presidential election.
“Microsoft’s Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28,” he explained. “We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group.”
However, although Smith placed the shut down activity in the context of potential election interference ahead of the 2018 mid-terms, the domains themselves are non-partisan.
“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate,” he continued. “Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the US Senate but are not specific to particular offices.”
To help repel the threat, Microsoft has announced a new initiative, AccountGuard, designed to provide “state-of-the-art” protection to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations.
The offering features threat notifications, user education and guidance and early adopter opportunities.
Experts welcomed the move but cautioned that it would do little to disrupt any Russian state-backed cyber-espionage.
“Though APT28 has leveraged data gathered from intrusions to carry out active measures, such as targeted leaks through false personas, incidents of this nature do not necessarily signify such an operation,” argued FireEye director of threat intelligence, John Hultquist. “In fact, the principal focus of APT28 has always been quiet intelligence collection for the decision advantage of its sponsors — the Russian military and policymakers.”
F-Secure security advisor, Sean Sullivan, welcomed the new product offering, but said the discussion of the 2018 mid-terms threatens to overwhelm the bigger picture.
“The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy,” he claimed. “That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an ‘attack’ on the elections that risks missing the complete threat model — and therefore the complete countermeasures that should be taken.”
Dtex Systems CEO, Christy Wyatt, added that the shut downs are a mere drop in the ocean.
“Assessments we conducted as part of our 2018 Insider Threat Intelligence Report revealed that 67% of organizations had instances of employees visiting high risk websites, which is exactly what the sites Microsoft identified are,” she said.
A leading US healthcare organization (HCO) has admitted that a phishing attack last September may have led to the compromise of highly sensitive data on nearly half a million patients.
Georgia-based Augusta University Health claimed it was notified by investigators on July 31 that a September 2017 phishing attack on hospital staff may have given the hackers access to data on around 417,000 patients.
A second phishing attack on July 11 is also being investigated, and although the HCO said it was “smaller in scope” there were no more details about those potentially affected.
The breached information apparently includes a huge variety of sensitive data such as: addresses, dates of birth, medical record numbers, medical, treatment and surgical info, diagnoses, lab results, medications, insurance information and — for a small percentage of patients — even their Social Security and driver’s license numbers.
That kind of information could be used in follow-on phishing attacks, to conduct identity fraud attempts, or even to blackmail individual patients.
The HCO claims to have seen no misuse of the information so far, although that will be little comfort to those affected.
The apparent failure in internal security and incident response processes that left the breach undetected for 10 months and subsequent delay in reporting of another fortnight would have been taken very seriously by GDPR investigators, although it’s unlikely any EU citizens’ data is among that affected.
The hospital claims to have taken several steps to improve its cybersecurity posture since, including creating a VP of compliance and risk management, implementing MFA and revising its email policies.
Luke Brown, EMEA VP at WinMagic, said that a lack of encryption is a common pitfall which comes back to haunt breached firms.
“Falling victim to cyber-criminals is a simple matter of fact these days, and all organizations need to take precautions to mitigate the risks of an attack,” he added.
“All sensitive data, whether it is patient details or the patent to your best-selling secret sauce, should be encrypted as a basic security practice. In the event of a data breach, encryption acts as a last line of defense making data illegible when in the hands of malicious parties."
A new study from Corero Network Security has revealed that the most damaging consequence of a distributed denial-of-service (DDoS) attack for a business is the erosion of customer trust and confidence.
The firm surveyed IT security professionals at this year’s Infosecurity Europe, with almost half (42%) of respondents stating loss of customer trust and confidence as the worst effect of suffering DDoS, with just 26% citing data theft as the most damaging.
Third most popular among those polled was potential revenue loss (13%), followed by the threat of intellectual property theft (10%).
“Network and web services availability are crucial to ensuring customer satisfaction and sustaining customer trust and confidence in a brand,” said Ashley Stephenson, CEO at Corero Network Security. “These indicators are vital to both the retention and acquisition of customers in highly competitive markets. When an end user is denied access to internet-facing applications or network outages degrade their experience, it immediately impacts brand reputation.”
Corero’s findings come at a time when DDoS attacks continue to cause havoc for organizations around the world.
Link11’s Distributed Denial of Service Report for Europe revealed that DDoS attacks remained at a high level during Q2 2018, with attackers focusing on European targets 9,325 times during the period of April-June. That equated to an average of 102 attacks per day.
“The cyber-threat landscape has become increasingly sophisticated and companies remain vulnerable to DDoS because many traditional security infrastructure products, such as firewalls and IPS, are not sufficient to mitigate modern attacks,” added Corero’s Stephenson. “Proactive DDoS protection is a critical element in proper cybersecurity protection against loss of service and the potential for advanced, multi-modal attack strategies.”
“With our digital economy utterly dependent upon access to the internet, organizations should think carefully about taking steps to proactively protect business continuity, particularly including DDoS mitigation.”
Scores of teenage students have been given some vital hands-on experience of working in the cybersecurity sector after taking part in the UK government’s CyberFirst initiative.
This particular program was run by the Nuclear Decommissioning Authority (NDA) and saw around 45 students aged 13-17 work alongside industry experts at its Workington facility.
Sessions covered a range of topics including device security and understanding networks, with an emphasis on developing the skills needed to protect critical digital infrastructure.
The course is said to be part of an £80m investment in cyber-safety by the NDA over the next five years.
“The CyberFirst initiative is a pivotal part of the government’s National Cyber Security Programme,” said NDA security information and services director, Rob Higgins.
“Cybersecurity and resilience is vital to the NDA and its estate, so encouraging young people into cyber-related careers will go a long way in helping to keep us safe in the future from the growing cyber-threat.”
CyberFirst was developed by GCHQ’s National Cyber Security Centre (NCSC) as a way to encourage the next generation of talented young professionals into the industry.
UK firms are approaching a cybersecurity skills “cliff edge” as older professionals retire without newer recruits taking their place in the same numbers, according to the eighth Global Information Security Workforce Study (GISWS).
In fact, two-thirds of UK companies reported not having enough cybersecurity personnel, with 47% claiming the reason is a dearth of qualified applicants.
It’s a problem mirrored elsewhere round the globe, with a shortfall of roles worldwide set to reach 1.8 million by 2022.
Rob Norris, VP head of enterprise & cybersecurity at Fujitsu EMEIA, welcomed the latest CyberFirst program.
“In a world of connected devices and, in future, more and more AI and machine learning, ensuring we give future generations the skills to protect data is vital and it comes at a key time,” he said.
“In light of recent attacks it is especially important that we, as a nation, do more to help the next generation understand the positive impact this knowledge will have on their lives and future careers.”
The number of cybercrime prosecutions in the UK fell for the second successive year in 2017 as police struggled with increasingly complex cases, according to a leading law firm.
There were just 47 prosecutions under the Computer Misuse Act and other laws last year, down 18% from the 57 in 2016, according to London-based Reynolds Porter Chamberlain LLP (RPC).
This is despite a growing threat from cyberspace: 43% of businesses and two in 10 charities (19%) experienced a cybersecurity breach or attack in the past 12 months, according to government research from earlier this year.
RPC claimed police simply don’t have the resources necessary to tackle much of what’s going on, especially as many attacks are launched from outside the country and the EU, while others are obfuscated through the use of encryption and proxies.
The law firm urged organizations to put in place “wide ranging precautions” including cyber-insurance to mitigate the threat of financial, reputational and regulatory risk that can result from a serious online attack.
“Police forces are doing their best with the resources they have but the scale of the problem means businesses cannot necessarily rely on the police to really help them when there is a cybercrime,” said RPC partner Richard Breavington.
“There will have to be some radical changes before businesses can start depending on the law enforcement agencies rather than private industry, including insurance, to help them if they have suffered from a cybercrime.”
In 2015, there were 61 recorded prosecutions for cyber-offenses, up by over a third from a figure of 45 in 2014, according to law firm Pinsent Masons.
Earlier this month the government announced a £100m cash injection for the police to help drive digital transformation projects, but most experts agree that law enforcement in the UK still lacks the cyber-skills to make a serious dent in online crime.
New research from think tank Parliament Street has revealed that The National Health Service (NHS) has misplaced almost 10,000 records in the last year.
Parliament Street liaised with 68 NHS Trusts to examine levels of reported missing or lost patient records, compiling its findings into the report NHS Data Security: Protecting Patient Records.
The total number of misplaced records reported by the 68 trusts was 9,132, with just 16 of those claiming that they had not suffered any lost or stolen data in the last year. What’s more, many of the trusts admitted they still had data missing.
In terms of the individual trusts that fared the worst, the University Hospital Birmingham topped the list with 3,179 records missing or stolen, Bolton NHS Trust (2,163) in second place and University Hospital Bristol (1,105) in third.
Perhaps most surprisingly, the report also revealed that 94% of NHS Trusts continue to use handwritten notes for patient record keeping, something Parliament Street highlighted as a significant security risk.
“The process of developing patient records through handwritten notes may be convenient, but it inevitably leads to errors and potential security issues,” Parliament Street wrote.
“It is clear that paper-based systems are no longer fit for purpose and NHS Trusts should work towards implementing digital systems with records capture via tablet computers and mobile devices.”
Barry Scott, CTO EMEA at Centrify, said, “These incidents underline the need to improve security procedures around the management of health records within the NHS. With sales of health records on the dark web and identity fraud on the rise, the need to protect the privacy of patients whilst moving towards secure digital systems is both urgent and essential.”
The health service remains a top target for hackers, and whether their motive is to wreak havoc or steal identities, it’s critical that every single patient record is treated as a high priority by Health trusts, Scott added.
“Achieving this means ensuring only accredited doctors, nurses and staff can access private information, and providing encryption and identity access management solutions to keep cyber-criminals locked out.”
An Australian teenager has pleaded guilty after hacking Apple’s IT systems several times over the course of a year and downloading 90GB of content.
The 16-year-old Melbourne schoolboy, who can’t be named for legal reasons, is said to have accessed customer accounts but no personal data. In fact, it’s unclear what content was taken in the raids, but the stolen data was reportedly stored in a folder named “hacky hack hack.”
However, he appears not to have taken any steps to hide his identity. Apple notified the FBI of the unauthorized intrusion, and the Feds in turn contacted the Australian Federal Police (AFP), which obtained a warrant to raid the family home.
On doing so they reportedly found two Apple laptops with serial numbers matching the devices used to obtain authorization keys to access the tech giant’s network. The boy’s IP address also tallied with the attacker’s, as did a seized mobile phone and hard drive, as well as the hacking software found on one of the laptops.
Lawyers for the teen argued that he carried out the unauthorized intrusions because he was a fan of the company and dreamed of working there one day, according to The Age.
"At Apple, we vigilantly protect our networks and have dedicated teams of information security professionals that work to detect and respond to threats,” Apple said in a statement.
“We regard the data security of our users as one of our greatest responsibilities and want to assure our customers that at no point during this incident was their personal data compromised."
The boy is set to be sentenced next month.
More than half (56%) of workers in the UK believe their employer is monitoring them at work, according to new research from the TUC.
The trade union federation commissioned BritainThinks to run focus groups and poll a representative sample of 2100 members of the UK public to find out more about attitudes to surveillance at work.
Along with the majority that thinks it’s “likely” they’re being monitored at work, nearly three-quarters (72%) believe it’s at least “fairly likely” that they’re subjected to one or more forms of workplace monitoring.
The monitoring of work emails, personal files and web browsing was pegged as “very likely” or “fairly likely” by 49% of respondents, followed by CCTV (45%) and phone logs and calls (42%).
These are, of course, only the perceptions of employees. Aside from clearly visible CCTV, it would be hard to say with any certainty whether one’s employers are engaged in surveillance activities.
In fact, under the GDPR, any employer that wants to engage in monitoring of staff must have a clear legal basis for doing so and has to notify staff of any such measures. Limited surveillance may be justified for health and safety and regulatory compliance reasons, or to prevent crime, misconduct and other reasons.
The forms of surveillance deemed least acceptable to respondents were: facial recognition software and mood monitoring (76% against), monitoring of social media accounts outside work (69%), monitoring employee’s location via mobile devices (67%) and keylogging (57%).
Two-thirds of workers (66%) said they’re worried that surveillance by employers could be used in a discriminatory way if left unregulated, while 70% believe monitoring will become more commonplace in the future.
The TUC wants to have a bigger say in such rules, demanding a legal right to be consulted on use of surveillance tools at work before they are implemented.
General secretary, Frances O’Grady, said employers shouldn’t use technology to “control and micromanage” their employees.
“Monitoring toilet breaks, tracking every movement and snooping on staff outside of working hours creates fear and distrust. And it undermines morale,” she added.
“New technologies should not be used to whittle away our right to privacy, even when we’re at work. Employers should discuss and agree workplace monitoring policies with their workforces — not impose them upon them. Unions can negotiate agreements that safeguard workers’ privacy while still making sure the job gets done.”
The European Commission looks set to force social networks to take down terror content within one hour, in light of the apparent failure of self-regulation.
Security commissioner, Julian King, told the FT on Sunday that he had “not seen enough progress” from the likes of Facebook, Google and Twitter on the issue since voluntary guidelines were tightened back in March.
“We cannot afford to relax or become complacent in the face of such a shadowy and destructive phenomenon,” he claimed.
At that time, the Commission had promised to review the guidelines in three months and draw up legislation if it felt self-regulation wasn’t working.
Part of the challenge appears to be the lack of consistency in how such material is handed depending on the content platform involved.
“The difference in size and resources means platforms have differing capabilities to act against terrorist content and their policies for doing so are not always transparent,” said King. “All this leads to such content continuing to proliferate across the internet, reappearing once deleted and spreading from platform to platform.”
However, the report claimed that even inside the Commission, there are some who believe self-regulation has actually been very successful.
Google has claimed that over 90% of terror content was automatically flagged and removed from its popular YouTube platform with half of the videos garnering fewer than 10 views. Facebook has also claimed success, saying 1.9 million pieces of content promoting Isis and al-Qaeda was detected in the first quarter of 2018.
It’s believed the hard line from Brussels may be part of an attempt to head off unilateral action from some EU member states.
Germany has already passed a hate speech law which mandates social networks take down “obviously illegal” content, including fake news, terror posts and racist material, within an hour or risk a €50m fine.
The European Commission proposals reportedly being drafted would need to pass the European Parliament and gain approval from the majority of member states to become law.
Penetration tests help organizations gain a better understanding of how protected they are against cyber-attacks, and when Kaspersky Lab’s performed several dozen cybersecurity assessment tests on corporate networks, it found that the overall level of protection against external attackers was low or extremely low for almost half of the analyzed companies.
The report, Security Assessment of Corporate Information Systems in 2017, found that three-quarters (73%) of successful perimeter breaches in 2017 were achieved using vulnerable web applications.
Using weak or default credentials to attack publicly available management interfaces was also a common vector threat actors employed to penetrate the network perimeter. Experts gained administrative access to IT infrastructure in 29% of the external penetration tests performed, but the success rate soared to 86% of the analyzed companies when testing against internal attackers. In 42% of those cases, it took penetration testers only two steps to gain the highest privileges granting them access to important business systems.
“An extremely low level of protection corresponds to those cases where we were able to penetrate the network perimeter and gain access to the critical resources of the internal network,” the report stated.
While the level of protection against internal threats – a threat actor inside the corporate network – was low or extremely low for 93% of the analyzed companies, the analysis showed that organizations are better protected against external threats. The overall level of protection against external threats – an outside intruder from the internet – was low or extremely low for 43% of organizations.
“Qualitative implementation of the simple security measures like network filtering and password policy would significantly increase the security stance,” said Sergey Okhotin, senior security analyst of security services analysis at Kaspersky Lab in a press release. “For example, half of the attack vectors could have been prevented by restricting access to management interfaces.”
The Obama Presidential Policy Directive 20 (PPD-20) that outlined the interagency communications required for the US to deploy cyber-weapons was reversed by President Trump, according to a report from the Wall Street Journal Wednesday 15 August.
Infosecurity Magazine contacted the White House for comment, but the Trump administration reportedly has not issued an official statement on the decision to reverse PPD-20. A National Security Council spokesman told Inside Cybersecurity that the administration was not planning on issuing a public statement.
Cyber-threats and cyber-attacks from nation-state actors require action, but planning and executing offensive actions necessary to protect US interests and assets from foreign aggressions can take months or years, said John Gunn, chief marketing officer at OneSpan. “With proper safeguards, this is a positive initiative that will raise our security.”
The US is not the first country to permit offensive techniques in order to prevent cyber-attacks from reaching its borders. Many experts, including Joseph Carson, chief security scientist at Thycotic, are in favor of cyber-offensive capabilities. Yet challenges exist in cyberspace.
“The biggest problem we have is absolute attribution to knowing who exactly carried out the cyber-attack and is it possible that it was a misdirection to put political pressure on two or more countries,” Carson said.
“We have AI and other techniques, but cyber-criminals have the ability to make it look like someone else committed the crime," Carson continued. "With cyber-mercenaries on the increase, the only way to get attribution is to go back to the old methods of having human spies who can confirm the attack happened and was initiated by aggressive cyber-countries. Many countries are already committing cyber-attacks on a large scale, and the US has been poor at responding to such attacks. For example, the attack on the DNC and OPM. My personal stance is that cyber-offensive should only be carried out by government agencies and not permitted by citizens.”
The reversal of PPD-20 also sends a global message at a critical time for the US. "The change in the US government stance on cyber weapons being used for cyber-offensive against adversaries comes just ahead of the US midterm elections. This is very likely a public indication that any nation-state who tries to hack or manipulate the upcoming elections, the US government has taken the gloves off and will respond," Carson said.
The increased number of firewalls within security infrastructures has created challenges, leaving many organizations struggling with basic firewall management, according to a new report from FireMon.
In its fourth annual State of the Firewall report, FireMon polled 334 C-suite executives, IT practitioners and security professionals at global companies of all sizes to understand both the state of firewall management and the impact of emerging technologies.
The report found that companies planning to adopt hybrid cloud models face the potential of increased risk with network security policy management if they are not practicing basic firewall hygiene. For the vast majority of participating organizations, the firewall remains a critical tool in their overall security ecosystem. In fact, 94% said firewalls are either as critical as or more critical than they have ever been and believe the firewall will still be as critical or more critical over the next five years.
That 24% of companies invest more than 25% of their total network security budget and 39% of companies allocate 10% to 24% of it in firewall technologies confirms that firewalls will remain a signature tool in the overall security architecture.
Those firewall technologies do present challenges, though. For nearly a third (30%) of the responding companies, rule complexity is a top challenge. Policy compliance and audit readiness is problematic for 17% of companies and 14% are pained by firewall rule optimization.
With more than 26% of companies managing over 100 firewalls on their network, organizations are challenged with firewall management. A third of participating companies said they have 10 to 99 firewalls on their network. The increased number of firewalls companies are managing produces overwhelming numbers of change requests each week, leaving 40% of companies processing 10 to 99 requests.
“Many companies are still trying to manage firewall rules manually, but in this era of next-gen architectures and sophisticated malware, this is no longer an effective way to enforce access policies and mitigate risk,” said FireMon CEO Satin Mirchandani in a press release.
“With more than half of survey respondents stating that three or more teams are involved in change management, the high number of change requests alone can drain valuable time, resources and budget from any security program. Factor in new technology adoption, and the stage is set for further policy management problems.”
Security experts are warning of another major smart home security threat after revealing that as many as 32,000 businesses and homes have failed to protect systems exposed via the internet.
The issue resides in the lightweight Message Queuing Telemetry Transport (MQTT) protocol, favored in IoT networks to transfer data between machines.
When implementing it at home, users are required to set-up a server, usually on a PC or mini-computer like a Raspberry Pi, that the devices can communicate with.
Unfortunately, security vendor Avast found 49,000 such MQTT servers publicly visible on the internet via a simple Shodan search, with 32,000 featuring no password protection. This global figure might seem rather low, but the vendor clarified to Infosecurity that the protocol is used mainly by more "advanced tech users."
This could be creating cybersecurity, privacy and even physical security risks for users, according to Avast researcher, Martin Hron.
“It is frighteningly easy to gain access and control of a person’s smart home, because there are still many poorly secured protocols dating back to bygone technology eras when security was not a top concern,” he argued. “Consumers need to be aware of the security concerns of connecting devices that control intimate parts of their home to services they don’t fully understand and the importance of properly configuring their devices.”
Hron painted several scenarios where these MQTT issues could be exploited by attackers.
With access to MQTT data, they could read the status of smart window and door sensors and locks and smart lighting, and even insert their own commands into the data to open doors, he claimed.
If the server is protected, hackers could try the smart home dashboard running on the same IP address, as these are often either not password protected or easily crackable. If that avenue fails, they could try open and insecure SMB shares running on the popular Home Assistant platform, including passwords and keys stored in plaintext, which could give them complete control over the smart home, the vendor claimed.
Avast also warned that hackers could track users’ location if they use the MQTT-compatible OwnTracks app.
Cybersecurity experts have welcomed the greater numbers of students taking the Computing A-level exam in the UK this year but warned more is needed to fill the talent pipeline for workplace roles.
A-level results were announced on Thursday and revealed an increase in numbers taking the IT course, from 8299 last year to 10,286 in 2018.
Grades were also up slightly. Some 3.3% gained an A*, up from 3%, while 18.2% got an A-grade, up from 16.9%. The number gaining B-grades also jumped slightly (1.7%) to reach a total of 39.3% while Cs jumped 1.3% to 62.5%.
Although the vast majority taking the course (88%) were male students, they were outperformed again by their female counterparts.
Although these figures are slightly improved from the 90% of male students who took the course last year, the gender imbalance is an ongoing challenge which is mirrored in university courses, explained Ivanti director and UK Women in Tech ambassador, Sarah Lewis.
“The digital skills gap is a massive issue in the UK and globally, as technology — including malevolent technology such as the tools used by cyber-criminals — evolves at a rapid pace. Bring the number of women working in computing up so that it is equal to men and you've doubled the talent pool,” she argued.
“It sounds simple in theory, but in practice it requires businesses and governments to invest in programs and schemes to break down barriers stopping young women from viewing a career in computing, and technology more widely, as viable. The future must be female in order to bridge the digital skills gap.”
Trend Micro principal security strategist, Bharat Mistry, also argued that more work is needed to build a stronger pipeline of talent to enter the workforce.
“Closing this gap isn’t just a challenge for the public sector to solve, businesses have their role too,” he said.
“Whether that’s through hosting hacking competitions aimed at students and young professionals, or offering up their experts to help train school leavers, businesses can help those interested in cybersecurity build on their technical skills and learn how to solve real-world problems in a dynamic environment — making them workplace-ready.”
Alex Hinchliffe, a threat intelligence analyst at Palo Alto Networks' Unit 42, argued that even those not taking IT-related courses at school should be encouraged to consider a career in cybersecurity.
“People who studied humanities, for example, are often better at predicting malware patterns based on previous information,” he claimed. “Threat research degrees have also recently become available as the industry booms, and while maths may be necessary for certain roles, humanities and social science graduates are just as valuable to a threat intelligence team.”
A British researcher has published details of a serious WordPress flaw left unfixed for over a year which could allow for complete system compromise.
By uploading a specially crafted file to the targeted app, attackers can trigger a file operation through the "phar://" stream wrapper. That in turn triggers eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF) flaws which force the app to "unserialize" metadata contained in the file, potentially resulting in execution of malicious code.
Secarma claimed its research reveals that a category of vulnerabilities previously not considered critical can in fact have a major impact on victim systems.
“This research continues a worrying recent trend, in demonstrating that object (un)serialization is an integral part of several modern languages,” said Thomas. “We must constantly be aware of the security impact of such mechanisms being exposed to attackers.”
WordPress is used by millions of web owners around the world including 30% of the world’s top 1000 websites, according to Secarma, meaning hackers could reach a potentially huge number of victims.
The popular open source CMS platform was notified in February 2017 but has yet to fully resolve the issue, according to the UK research firm.
“WordPress is an incredibly popular platform, widely used across the globe by bloggers, news outlets and all manner of businesses. It’s not uncommon to uncover vulnerabilities in systems and it’s important that organizations react quickly to protect their customers when something like this is discovered,” said Secarma CEO Lawrence Jones.
“Penetration testing is very accessible nowadays and it’s so important that businesses are proactive and regularly test any applications they put online.”
A campaign that began weeks ago and targeted approximately 2,700 Fortune 100 banking institutions in the US and around the world with a widespread botnet attack came to a sudden halt as of 15:37 EST on 15 August, according to researchers at Cofense. The phishing emails appeared to be coming from India and contained the subject lines “Request BOI” or “Payment Advice.”
Malware analysts had been tracking the Necurs botnet for the last several months and observed the highly targeted phishing campaign as an attempt to go after the financial sector for the first time. The threat actors were reportedly attempting to get a foothold on the banks’ infrastructure and set the stage for potential further attacks.
First observed in 2012 and famed for sending Locky a few years ago, Necurs rootkit couples multiple Domain Generation Algorithms (DGAs) with .bit domain names and P2P communications.
After studying the increased botnet campaigns over the last several weeks, researchers found that all of the recipients were employed at banks. In addition, researchers noted a new file extension .pub, which belongs to Microsoft Publisher, attached to the phishing campaigns.
This unexpected change in file extension happened at 7:30 am on 15 August. “Like Word and Excel, Publisher has the ability to embed macros. So just when you are feeling confident about a layered defense protecting you from malicious Word docs, Necurs adapts and throws you a curve ball,” researchers wrote.
“The banks range from small regional banks all the way up to the largest financial institutions in the world. We have not yet determined the actor(s) behind this specific campaign or the final goal.”
The .pub extension contained an embedded macro that, when executed, downloaded from a remote host, resulting in the FlawedAmmyy remote access Trojan (RAT). With this final payload, the attackers gained full remote control of the compromised host, enabling both credentials theft and the potential of future lateral movement within the banking institution.
Cyber-criminals are leveraging on the shift from pen and paper to electronic signatures in real estate transactions. According to new research from Proofpoint, fraudulent real estate transactions are being used to steal people’s credentials.
Attackers are capitalizing on the number of unfamiliar parties and documents involved in a typical real estate transaction to lure unsuspecting homebuyers into clicking on fake landing pages.
Researchers have identified schemes employed by attackers targeting homebuyers with DocuSign lures and fake Office 365 login pages associated with bogus real estate documents. In addition, the computer networks of real estate firms have been directly attacked with remote access Trojans (RATs) to obtain confidential information.
The electronic signature has proven to be an effective target for threat actors, and click rates for DocuSign lures are averaging five times higher than click rates for the top 20 lures, according to a 15 August blog post.
The goal, however, is not to steal users’ DocuSign credentials. Rather, the lure is to have victims log in to fake DocuSign landing pages with third-party credentials such as Microsoft Office 365 or other generic email credentials.
“These landing pages are linked in phishing emails; the URLs for the links suggest targeting for homebuyers and generally reside on compromised sites, the administrators of which have all been notified,” Proofpoint wrote.
In addition to abusing the DocuSign brand to harvest credentials on phishing pages, attackers have used other phishing templates specific to mortgage closings. The phishing landing page – complete with national realtor and Norton logos – tricks users into thinking they are opening documents containing their closing disclosure.
Though less frequent than real estate phishing, attackers are also targeting real estate businesses, including realtors and homeowner insurance agencies, using RATs. “Because of the nature of the transactions in which these business engage, RATs and information stealers offer additional opportunities for threat actors to steal a range of personal and banking information.”
Small businesses will soon receive help implementing voluntary cybersecurity frameworks as defined by the National Institute of Standards and Technology (NIST) after President Trump signed the “NIST Small Business Cybersecurity Act” S. 770 on 15 August.
In addition to providing resources to small businesses, the bill, which requires NIST develop and disseminate resources for small businesses to help reduce their cybersecurity risk, also states that future NIST standards consider the needs of small businesses.
The bill represents a step forward for both the cybersecurity industry and for SMBs struggling to be in accordance with the NIST standards. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” said Dr. Bret Fund, founder and CEO at SecureSet.
Widely seen as a step in the right direction toward cybersecurity compliance and readiness for SMBs, Fund said the bill also signals President Trump's intent to improve cybersecurity overall.
“With the increase in cyber-attacks, it is great to see the administration continue to invest in cybersecurity initiatives. Small businesses are not immune to threats, and are often not equipped with the IT resources or personnel to protect their networks,” said Dirk Morris, chief product officer at Untangle.
Small businesses have long been at risk of cyber-attacks as nefarious actors know that SMBs are limited in both budgets and staff, making it difficult for most small businesses to implement strong security strategies. “Recent reports show that smaller businesses lose proportionately more to cyber-attacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures,” said Anupam Sahai, vice president of product management at Cavirin.
“This is a very positive step, as smaller enterprises may not have the skills or budget to implement a broad-based program. The Act will help with focus. The proof will be how the necessary resources are actually made available.”
A US entrepreneur and cryptocurrency investor has filed a $223m lawsuit against AT&T after a store employee allegedly facilitated SIM swap fraud.
Lawyers acting on behalf of Michael Terpin filed 16 counts of fraud, gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, failure to supervise its employees and investigate their criminal background, and other charges in a US District Court in Los Angeles yesterday.
On January 7, an AT&T agent in a Connecticut store is alleged to have agreed to transfer Terpin's mobile phone number to a new SIM, which an “international criminal gang” then used to commit major identity fraud.
Specifically, they were able to circumvent 2FA security on his cryptocurrency accounts by intercepting one-time SMS passcodes to access them and then transfer funds to the tune of $24m elsewhere.
“Even after AT&T had placed vaunted additional protection on his account after an earlier incident, an imposter posing as Mr Terpin was able to easily obtain Mr Terpin’s telephone number from an insider cooperating with the hacker without the AT&T store employee requiring him to present valid identification or to give Mr. Terpin’s required password,” the complaint alleges.
“It was AT&T’s act of providing hackers with access to Mr Terpin’s telephone number without adhering to its security procedures that allowed the cryptocurrency theft to occur. What AT&T did was like a hotel giving a thief with a fake ID a room key and a key to the room safe to steal jewellery in the safe from the rightful owner.”
The complaint further alleges that AT&T’s 140 million customers are at a similar risk of SIM swap fraud “because it has become too big to care.”
AT&T is disputing the allegations and claims to be looking forward to “presenting our case in court.”
Identity fraud in the UK has fallen for the first time in four years but the number of online scams continue to rise, especially in the retail sector, according to Cifas.
The not-for-profit fraud prevention organization claimed a drop in identity fraud of 5% in the first six months of 2018 compared to the same period last year.
However, identity fraud still comprises over half of all fraud reported by Cifas, with online accounting for 87%. That figure is up from the last time Infosecurity contacted the non-profit in April, when a spokesperson said that 84% of identity fraud occurs through online channels.
Identity fraud against online retail accounts has risen by 24% (1232 cases), while there has been a steep rise in fraudulent applications for credit and debit cards (12%).
On the other side, Cifas recorded a 12% reduction in the volume of bank accounts being targeted by identity fraudsters, and a 34% reduction in attempts to obtain mobile phone contracts.
The most popular ways to obtain the digital identity data needed to make fraudulent applications online are still by buying it off the cybercrime underground, social engineering and ‘hacking’, it said.
Sandra Peaston, director of strategy, policy and insight at Cifas, pointed out that identity fraud hit an all-time-high at the end of 2017, so any reversal of this trend should be viewed positively.
“However, these new figures demonstrate that identity fraudsters adapt quickly to try and circumvent security measures. The re-targeting of plastic cards, following a drop in 2017, is a prime example of this,” she added.
“With identity fraud remaining uncomfortably high, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility. Everyone should play their part, from individuals and organizations taking steps to protect personal data to businesses ensuring their fraud prevention practices effectively defend against evolving tactics employed by identity fraudsters.”