Three-quarters (75%) of UK data protection officers (DPOs) anticipate the Covid-19 lockdown will cause difficulties in meeting data compliance obligations, potentially leading to large fines, according to a study by Guardum.
In the survey, 72% of DSOs expect a backlog of data subject access requests (DSARs) upon returning to the office, while 3% are concerned there will be a “mountain” of DSARs to complete when they go back.
Additionally, 30% of DPOs believe there will be a massive increase in DSARs over the next six months. Furloughed or laid off employees during the pandemic will be a major driver of this growth according to 73% of respondents, while one in five said it will be the biggest single factor.
Under GDPR rules, if requested, organizations must provide data subjects with a copy of their personal data within 30 days or face the prospect of a maximum fine of up to €20 million or 4% of turnover from the Information Commissioners Office (ICO).
The findings suggest that HR personnel will face substantial data compliance challenges once the UK government’s furlough scheme ends in October. Under the scheme, the government pays a portion of the wages of employees who would otherwise lose their jobs during the crisis. It is expected that as the scheme is wound down, however, many of these workers will be made redundant.
Rob Westmacott, co-founder of Guardum, commented: “HR personnel will soon find themselves at the sharp end in dealing with large DSAR volumes raised by disgruntled former employees. If DSAR volumes reach the record levels DPOs expect then firms will struggle to meet their 30-day turn-around obligations using conventional manual processes.
“DSAR requests can be time consuming and costly: maintaining the privacy of any third parties means that the process of redaction will become impossible to manage effectively without some form of automation.”
The report also found that 46% of all DSARs received by mid to large-sized organisations are from employees or contractors, while one-third (33%) comes through legal representation, with ex-employees making up 15% of this portion.
State-sponsored hackers are actively targeting organizations involved with the development of a COVID-19 vaccine.
According to the NCSC, the threat group APT29, which has been named 'Cozy Bear' and is believed to be associated with Russian intelligence, has been targeting UK, US and Canadian vaccine research and development organizations.
Paul Chichester, director of operations at the NCSC, condemned the attacks, calling them “despicable” and working against those doing vital work to combat the coronavirus pandemic.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said. “We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”
APT29 typically conducts widespread scanning in an effort to obtain authentication credentials to access systems. “In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC reported. “The group then deployed public exploits against the vulnerable services identified.”
The NCSC’s advisory claimed the group uses a variety of tools and techniques, including spear-phishing and custom malware known as 'WellMess' and 'WellMail.' WellMess is lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods.
WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server. Similar to WellMess, WellMail uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers.
The NCSC has been supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
John Hultquist, senior director of intelligence analysis for Mandiant Threat Intelligence, said it was no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure, as “COVID-19 is an existential threat to every government in the world.”
He said: “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg-up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”
Data and ransomware protection provider Arcserve today announced the appointment of award-winning tech veteran Ivan Pittaluga as its new chief technology officer (CTO).
Pittaluga brings a proven record of leading advances in service delivery and transformational technology in the high-tech space to the role. As Arcserve’s new CTO, he will oversee the strategy and development of the company’s portfolio of backup, disaster recovery, continuous availability, migration and archiving solutions.
“The world of data protection is rapidly evolving, fueled by unprecedented challenges from a larger data attack surface and increasingly prevalent cyber-threats,” said Tom Signorello, CEO at Arcserve.
“The addition of Ivan will accelerate our market-first solutions to these, and other business continuity challenges, with his recognized history of driving organizational change and delivering technology that changes the way companies do business.”
Pittalauga previously served as vice-president of data protection and governance for Veritas Technologies and has held senior engineering positions at Symantec, Commvault, Legato Systems (Dell EMC) and Mastercard.
“We’re living in a digitized economy, and enterprises today can no longer risk exposing their data to cyber-threats or loss,” said Pittaluga. “Equally important are the new forms of data and environments that will emerge from rapid innovation in the cloud – all of which will need comprehensive protection. Arcserve’s 30-year experience and foresight to anticipate market shifts uniquely positions it for an exciting chapter of innovation, which I’m pleased to be a part of.”
Mobile operator EE, part of the BT Group, has today announced the launch of its new Digital Identity platform designed to help protect customers against becoming victims of fraud.
The platform offers a series of online identity checks that guard against fraud in real time, making customer transactions safer and supporting banking partners in the UK to detect SIM swapping fraud and prevent further fraudulent activities.
The platform’s ‘Sim Swap’ checker allows businesses to know when a customer’s SIM was last changed, as a recent change could indicate potential fraud. That data is then used to block financial transactions from taking place until further identity checks are carried out.
A ‘Call Divert’ feature allows for the confirmation that no call diversions have been put in place on a phone number (a key sign that sim swapping fraud has taken place) whilst the platform can also help prevent fraudulent online account sign ups with its ‘Know Your Customer’ product. This grants businesses the ability to confirm a user’s identity by cross-checking new customer data with data held in the EE databases to see if a phone has been reported lost or stolen.
Christian Thrane, managing director of consumer marketing at BT, said: “At BT and EE, we are committed to innovating to help protect customers from fraud and are already working closely with a number of industries, including banking, eCommerce and gaming, to protect millions of transactions every day. We are continuing to move into new sectors to help prevent even more fraudulent activity, so consumers across the UK can be confident in the safety of their online experiences.”
The EU-US Privacy Shield has been declared invalid, meaning it is now unlawful to transfer personal data to the USA using it.
In a judgment announced today, the Court of Justice of the European Union (‘CJEU’) ruled that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful.
The decision follows a case brought against the privacy campaigner Max Schrems against Facebook Ireland, when Facebook Ireland said it could not ensure adequate privacy protections for users in Europe with respect to their personal data sent to Facebook in the United States. This was due to the different nature of the US legal system's rules on national security, privacy and data protection.
Initially, the Privacy Shield was negotiated with the US Department of Commerce between 2015 and 2016 to remedy the collapse of the Safe Harbour agreementin 2015, when the first Schrems case brought the end of that procedure.
Amanda Brock, CEO at OpenUK, said: “The question really is how to bridge the gap between the UK and European privacy requirements and the fact that the US does not meet the ‘adequate protections test’, despite a huge number of European companies in our platform economy processing personal data there.
“If business goes down the route of a further sticking plaster, then it runs the risk of Schrems 3. It really is time for us to look long and hard at the issues cause by the US approach to privacy.”
However the CJEU has upheld the validity of the Standard Contractual Clauses scheme, thereby providing a safety net for transatlantic business. Also, EU data protection authorities will have a new role in assessing third countries’ protection and could ban exports of data to certain countries, and data exporters and importers using the standard contract clauses must verify the level of protection in the third country first.
Caitlin Fennessy, research director at the International Association of Privacy Professionals (IAPP), said this “will undoubtedly leave tens of thousands of U.S. companies scrambling and without a legal means to conduct transatlantic business, worth trillions of dollars annually.”
The judgement determined the General Data Protection Regulation (GDPR) provides that the transfer of such data to a third country may, in principle, take place only if the third country in question ensures an adequate level of data protection. In the absence of an adequacy decision, such transfer may take place only if the personal data exporter established in the EU has provided appropriate safeguards.
In particular, the declaration was on decision 2016/1250, which refers to the adequacy of the protection provided by the EU-U.S. Privacy Shield, and that has been declared invalid.
Toni Vitale, partner and head of data protection at JMW Solicitors, said: “Put simply, the CJEU have an issue with the interference of the US national security and law enforcement agencies having priority over the fundamental right of privacy of the persons whose data is transferred to the US, and the surveillance program utilized in the USA.
“The limitation this places on the protection of personal data in the USA means that the EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary.
“As such, the EU-US Privacy Shield has been declared invalid and it can no longer be relied on as a lawful mechanism by which to legitimately transfer data to the US.”
Schrems said he was very happy about the judgement. “This is a total blow to the Irish DPC and Facebook,” he said. “It is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role on the EU market.
“The Court clarified for a second time now that there is a clash between EU privacy law and US surveillance law. As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people – including foreigners. Surveillance reform thereby becomes crucial for the business interests of Silicon Valley."
Just over 10% of all phishing attempts in Q1 were related to COVID-19.
According to research by Positive Technologies, 13% of phishing attacks were related to COVID-19 and the number of attacks increased by 22.5% from what was seen in Q4 of 2019. Yana Avezova, analyst at Positive Technologies, said: “Hackers were quick to use common concerns about coronavirus as lures in phishing emails. One out of every five emails was sent to government agencies.”
The research also determined there were 23 “very active” APT groups whose attacks in Q1 2020 mostly targeted government agencies, industrial, financial and medical institutions.
Also, more than a third (34%) of all malware attacks on organizations used ransomware, particularly where ransomware operators demanded a ransom in exchange for not disclosing stolen data. The research found that one out of every 10 ransomware attacks targeted industrial organizations.
At the beginning of the year, many cybersecurity experts found high levels of activity relating to a new ransomware called Snake, which is capable of stopping processes related to ICS operation and deleting backups or snapshots of files in use.
Jamie Akhtar, CEO and co-founder of CyberSmart, said the report isn’t surprising, as there was an “enormous spike in phishing campaigns, fake websites and social profiles that were deliberately impersonating COVID-19 and healthcare-related authorities as hackers exploited the unprepared public.”
He added: “Many of these phishing emails can be extremely convincing and are not likely to end soon.
“Businesses and their employees can protect themselves against these attacks in the future by using email filtering that will detect and flag suspicious email addresses and malicious links or attachments, but these often don't catch everything. Training employees on how to spot suspicious and phishing emails is the best way to prevent these kinds of attacks.”
Walmart has become the latest big-name brand accused of violating California’s new data breach regulations.
The retail giant is the subject of a new complaint alleging that customers now face “significant injuries and damage” after an unspecified incident.
Customer names, addresses, financial and other information were among the haul for attackers, according to the suit filed in the US District Court for the Northern District of California.
“As a result of defendants’ wrongful actions and inactions, customer information was stolen. Many customers of Walmart have had their PII compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft and have otherwise suffered damages,” the suit alleges.
“Further, despite the fact that the accounts are available for sale on the dark web, and Walmart’s website contains multiple severe vulnerabilities through which the data was obtained, Walmart has failed whatsoever to notify its customers that their data has been stolen.”
Although it’s unknown at present how many customers were affected by the incident, the filing claims that the number of class members is “at least in the thousands.”
If the maximum damages under the California Consumer Privacy Act (CCPA) are awarded, that means $750 per customer.
Walmart intends to defend the claims made against it.
“We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information,” it said, according to Bloomberg.
Other tech firms also lined up for CCPA suits include Salesforce, controversial facial recognition firm Clearview AI and online marketplace Minted.
The new law came into force at the start of 2020, but enforcement began on July 1. It brings with it new GDPR-like powers for individuals to demand that companies don’t share their data with third parties, and that they reveal what information they hold on data subjects.
It also empowers customers to sue if they feel their privacy rights have been violated, even if they’ve not been the subject of a breach.
Home users are being urged to ensure their routers are adequately protected after experts revealed a tenfold spike in brute force log-in attempts.
Trend Micro’s latest research, Worm War: The Botnet Battle for IoT Territory, describes a threat landscape in which rival cyber-criminals are competing against each other in a race to compromise as many devices as possible, to conscript into botnets.
The vendor claimed that automated log-in attempts against routers rose from 23 million in September to nearly 249 million attempts in December 2019. As recently as March this year, it detected almost 194 million brute force logins.
The report also revealed an uptick in routers attempting to open telnet sessions with other devices. As telnet is unencrypted it’s a favorite way for hackers or their botnets to sniff user credentials and therefore infect more routers or IoT devices.
Nearly 16,000 devices attempted to open telnet sessions with other IoT devices in a single week in mid-March, according to Trend Micro data.
The report warned that these mass compromises could cause serious disruption for home networks at a time when many global users are being forced to work and study from home.
Aside from performance issues, if a compromised router subsequently carries out cyber-attacks as part of a botnet, its associated IP address could end up being blacklisted, cutting off users from their corporate network and other key parts of the internet.
The “worm wars” described by Trend Micro also have a wider impact on the security of the connected world, according to principal security strategist, Bharat Mistry.
“Home routers and consumer grade IoT devices continue to be easy pickings for hackers. The potential for mass scale and geographic distribution of compromised devices allows cyber-criminals to create powerful botnets that can cripple victim organizations,” he told Infosecurity.
“Compromised devices are the foot soldiers for lucrative attack campaigns and have sparked a war between cyber-criminals competing to take over as many routers as they can.”
Botnets are typically used in DDoS campaigns or rented out by cyber-criminals for other purposes such as to obfuscate the location of attackers.
The report urged home users to use a strong router password and stay on the latest firmware version, alongside log monitoring and other measures.
Twitter has revealed that its own staff were the cause of a coordinated account hijacking campaign affecting major tech companies and celebrities this week.
The social network’s support account noted in a thread a few hours ago that although its investigation is still ongoing it believes the incidents were a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
“We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” it added.
“Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.”
Twitter said it also limited functionality for a larger group of accounts, even those showing no signs of being compromised, while it investigates what happened.
Accounts with millions of followers belonging to Jeff Bezos, Bill Gates, Barack Obama, Joe Biden, Elon Musk, Kanye West and others were briefly hijacked and used to promote a cryptocurrency scam. The corporate accounts of Apple, Bitcoin, Coinbase and others were also taken over.
“We have partnered with CryptoForHealth and are giving back 5000 BTC to the community,” noted one message, followed by a link. Other versions urged followers to send Bitcoin to a specific wallet, claiming that the celeb would “double any payment.”
That wallet received $100,000 in digital currency via hundreds of transactions and was quickly transferred to other wallets, an expert told CNN.
Stuart Reed, UK director at Orange Cyberdefense, argued that a lack of awareness among employees continues to put organizations at risk of social engineering, especially at a time when many are working from home today.
“Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and hard to predict in certain scenarios while easy to manipulate in others,” he added.
“Security awareness educates employees about manipulative techniques that might be used against them and also highlights the benefits of adapting their information security behavior. Building resilience towards social engineering attacks provides a significant line of defense.”
The personal data of over a quarter of a million people has been exposed following a malicious hack perpetrated against a Texas billing and collection company.
Houston-based company Benefit Recovery Specialists, Inc. (BRSI) discovered a data breach had occurred after detecting the installation of malware on its systems.
The malware may have allowed unauthorized individuals to view and obtain the personal and protected health information (PHI) of 274,837 people.
BRSI provides billing and collection services to certain healthcare providers and payers. The data exposed by the attack included the private and personal information of current or former members of these plans or healthcare providers.
In a data breach notice, BRSI said that the types of personal information impacted by the cybersecurity incident “may include name, date of birth, date of service, provider name, policy identification number, procedure code and/or diagnosis code.”
The company added that the Social Security numbers of “a small number of individuals” may also have been exposed.
An internal investigation was launched after the malware was discovered by BRSI on April 30 2020. Forensic specialists were hired to uncover how the attack was carried out and to determine how far the attackers managed to penetrate company systems.
Investigators found that an unauthorized individual had gained access to the company’s systems using stolen employee credentials. After entering the network, the attacker installed malware.
Exactly what malware was installed by the bad actor was not stated in the breach notice published by BRSI on its website. The company did share that the unknown attacker first gained access to BRSI systems on April 20 2020.
The investigation “further revealed that certain BRSI customer files containing personal information may have been accessed and/or acquired by the unknown actor between April 20 2020 and April 30 2020.”
BRSI began notifying customers of the cybersecurity incident around June 2.
The company stated: “While BRSI is unaware of any misuse of personal information impacted by this event, individuals are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity and report any suspicious activity immediately to their insurance company, health care provider, or financial institution.”
A malicious hacker disrupted a Jewish congregation's virtual prayer service to display symbols synonymous with anti-Semitism.
Temple Sinai in Hartford, Connecticut, was the target of the anti-Semitic attack that took place on July 10. The temple had been holding services online for several months to help slow the spread of COVID-19 around the state.
After gaining access to a service being watched on Zoom and Facebook Live by roughly 200 congregation members, the hacker posted offensive messages and images on a shared screen.
The attack disrupted the recital of the Mourner's Kaddish, a sacred prayer spoken for the benefit of the departed soul of one's deceased father or mother.
Rabbi Jeffrey Bennett said the hacker used Zoom's annotate feature to post swastikas. They also shared inappropriate messages via the chat feature and commandeered the audio system to play traditional Jewish music called klezmer that originated in the villages and ghettos of Eastern Europe.
Fortunately, the attacker was quickly stopped from spreading their message of hatred. As soon as he realized what was happening, Bennett stopped sharing his screen and a worship service co-host muted all service attendees.
The attacker was silenced after just three seconds, but for Bennett the incident "was three seconds too long."
After the temple's board of directors wrote a notice to congregants informing them of what had happened, the service continued without further incident.
Bennett said the attack was the only anti-Semitic intrusion to occur since the Temple Sinai started holding services online in March 2020. He added that actions had been taken to prevent any further incidents from taking place.
Rather than deterring congregation members from following their religious practice, the rabbi said the attack "strengthens our resolve to celebrate who we are."
An incident report has been filed with the Anti-Defamation League (ADL) by temple leaders, who also sent a message to Zoom to inform them of the security breach.
In May, the ADL reported that in 2019, Jews in America were targeted with more than 2,100 acts of anti-Semitic assault, vandalism, and harassment. The league said the number of incidents was the highest annual figure recorded since records began in 1979.
British retailer Superdrug has made a pledge to combat cyberbullying and trolling on social media platforms.
The high street giant was spurred into action after observing a sharp spike in the volume of derogatory comments being posted online in response to one of its beauty campaigns.
As part of a drive to promote cosmetics, Superdrug had been working with a number of up and coming make-up artists and bloggers to post inspirational images of models. The company was saddened to see these posts generate negative and hateful comments.
A company spokesperson said: “At Superdrug, we want our social spaces to be a positive experience for everyone. We won’t tolerate cyberbullying or unnecessary, hurtful comments.”
In response to the wave of hate, Superdrug has started an online campaign with the hashtag #BeKind, joining forces with content creators Simone Powderly, Imogenation and Georgia Rankin to spread the word.
The company issued this message to social media users: “We’d like to ask that if you have nothing nice to say, that you don’t say anything at all. Please be kind to each other and keep our comments section a safe space for everyone. #BeKind.”
Online creator Rankin said she had received some highly negative messages and comments over the years.
“These words not only hurt, they stay with you, making you doubt yourself and feel unworthy,” said Rankin. “This has to stop.”
Superdrug has also teamed up with international youth organization Ditch the Label to remind social media users to treat each other with respect.
Ditch the Label runs a program of research, support channels and education to support young people who are being bullied or who experience mental health, relationship and identity issues.
The organization's chief executive and founder, Liam Hackett, said: “At Ditch the Label, we are committed to working towards a world that’s fair, equal and free from all types of bullying. It’s always encouraging when other voices join our cause so we are delighted to support Superdrug with the anti-bullying initiative #BeKind in making a stand against online bullying. Together we can make a difference in the lives of anyone affected by bullying and online abuse.”
The Cofense Phishing Defense Center (PDC) has observed a new email-based phishing scam that aims to harvest Her Majesties Revenue and Customs (HMRC) credentials and sensitive personal information by preying on UK workers who are expecting COVID-19 tax relief grants.
According to Cofense, the threat actors use a legitimate-looking email address (firstname.lastname@example.org) with the impersonated organization in the name and set the name to match (HM Revenue & Customs). They also use the somewhat poorly written subject line of “Helping you during this covid from government.”
Receivers of the email are presented with a notification that the government is offering between £2500 and £7500 in tax grants for those whose ability to work has been affected by the health crisis.
Jake Longden from Cofense PDC explained: “The email includes a link to check their [users’] eligibility. With the government publicly and repeatedly mentioning such sums, the email is believable to inattentive users. The attacker also mentions the ‘Open Government Licence v3.0,’ a legitimate copyright licence used by the Government and Crown Services, to provide additional credibility.”
Once the link is clicked, the user is presented with a realistic clone of the GOV.UK website and asked to enter personal and sensitive data.
“The volume and sensitivity of data requested far exceeds what is required to sign into a legitimate account,” Longden added. “The data requested here screams identity theft/impersonation.”
The user is then directed to a ‘loading page’ which is constructed to give the impression that the data entered is being processed and verified for the tax claim, however the information is in fact harvested by the scammers and no tax relief is generated.
The media industry suffered 17 billion credential stuffing attacks over the course of two years, as part of a huge increase in attacks against the sector.
According to research by Akamai, between January 2018 and December 2019, 20% of the 88 billion total attacks recorded were against media companies. The company also recorded 630% and 208% year-over-year increases in attacks against broadcast TV and video sites, respectively.
Steve Ragan, Akamai security researcher and author of the State of the Internet/Security report, said: “As long as we have usernames and passwords, we’re going to have criminals trying to compromise them and exploit valuable information.
“Password sharing and recycling are easily the two largest contributing factors in credential stuffing attacks. While educating consumers on good credential hygiene is critical to combating these attacks, it’s up to businesses to deploy stronger authentication methods and identify the right mix of technology, policies and expertise that can help protect customers without adversely impacting the user experience.”
Video sites are not the sole focus of credential stuffing attacks within the media industry. The report noted a staggering 7000% increase in attacks targeting published content. Newspapers, books and magazines sit squarely within the sights of cyber-criminals, indicating that media of all types appear to be fair game when it comes to these types of attacks.
In an email to Infosecurity, Alex Guirakhoo, threat research team lead at Digital Shadows, said credentials for video and music streaming services are in high demand on cyber-criminal platforms, and he had seen streaming accounts account for 13% of all listings, surpassed only by bank or financial accounts, which comprised 25% of all listings.
“Attackers can obtain these accounts cheaply and efficiently using credential stuffing tools, which prey on password reuse,” Guirakhoo said. “Individual streaming accounts can be purchased for an average of under $10. These accounts are also frequently traded for free on cyber-criminal forums like XSS and RaidForums, likely to help build a sense of community among forum users."
Leo Pate, application security consultant at nVisium, said conducting credential stuffing attacks is easy, low-risk and they deliver high return on investment (ROI) if successful. “From a criminal point-of-view, most media platforms don't offer strong security controls, like multi-factor authentication, or users simply do not take advantage of them even if available, thereby resulting in a higher rate of successful compromise,” he added.
“Additionally, some media platforms utilize the same credentials in other platforms they own; for example, Amazon Prime Video and Amazon Prime. Therefore, a successful compromise of an Amazon Prime Video account will likely lead to a successful compromise of an Amazon Prime account as well. This also enables the criminal to potentially even more financial and personal information.”
The US government is urging SAP customers to patch a critical vulnerability published earlier this week, which could affect as many as 40,000 customers.
Released as part of the software giant’s July patch update round, CVE-2020-6287 affects the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard.
According to an alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the bug is introduced thanks to a lack of authentication in the component.
“If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account (adm), which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications,” it explained.
“The confidentiality, integrity, and availability of the data and processes hosted by the SAP application are at risk by this vulnerability.”
As SAP NetWeaver AS Java supports a large range of SAP applications, the potential impact is severe. These include: SAP Enterprise Resource Planning, Product Lifecycle Management, Customer Relationship Management, Supply Chain Management, Supplier Relationship Management, NetWeaver Business Warehouse, Business Intelligence, NetWeaver Mobile Infrastructure, Enterprise Portal, Process Orchestration/Process Integration, Solution Manager, NetWeaver Development Infrastructure, Central Process Scheduling, NetWeaver Composition Environment, and Landscape Manager.
Onapsis Research Labs, which discovered the vulnerability, named it RECON and warned that the CVSS 10.0 bug could affect more than 40,000 global SAP customers.
It could allow remote attackers to steal PII from employees, customers and suppliers, delete or modify financial records, change banking details, disrupt operations and much more, the vendor claimed.
“The business impact of a potential exploit targeting RECON could be financial loss, compliance violations and reputation damage for the organization experiencing a cyber-attack,” it added.
A malware campaign hiding backdoors in mandatory Chinese corporate tax software is far more extensive than at first thought, according to researchers from Trustwave.
The vendor warned last month that it discovered several clients had unwittingly installed the GoldenSpy backdoor after agreeing to download the Intelligent Tax software product, produced by Aisino Corporation.
China’s banks require all companies to download software from either Aisino or Baiwang to comply with its Golden Tax VAT scheme, indicating that the malware campaign has either direct sponsorship from the government, or is happening with its blessing.
Soon after Trustwave reported on the powerful GoldenSpy backdoor, which it said could not be removed, an uninstaller appeared out of the blue which directly negates the threat.
Now the vendor has discovered a second piece of malware, dubbed GoldenHelper, which dates back to before GoldenSpy. It’s found in the Golden Tax Invoicing Software (Baiwang edition), which is digitally signed by a subsidiary of Aisino, Nou Nou Technologies.
The malware, while functionally different to GoldenSpy, has a similar delivery mechanism, according to Trustwave’s VP of cyber-threat detection and response, Brian Hussey. It utilizes three DLL files to: interface with the Golden Tax software; bypass Windows security and escalate privileges; and download and execute arbitrary code with system-level privileges.
It also uses multiple techniques to hide its presence and activity, including randomization of name whilst in transit and of file system location, timestomping, IP-based Domain Generation Algorithm (DGA), and UAC bypass and privilege escalation.
Active from January 2018 to July 2019, the malware delivered a final payload of “taxver.exe,” although Hussey admitted his team has yet to get hold of a sample for analysis.
“Several individuals report receiving an actual Windows 7 computer (Home edition) with this Golden Tax software (and GoldenHelper) preinstalled and ready to use. This deployment mechanism is an interesting physical manifestation of a Trojan horse,” he continued.
“Trustwave SpiderLabs understands that the VAT tax invoice software is a government requirement and recommends that any system hosting third-party applications with a potential for adding a gateway into your environment, be isolated and heavily monitored with strict processes and procedures in their usage.”
Microsoft has released yet another gargantuan security update this month, fixing 123 vulnerabilities including 18 marked critical.
The July Patch Tuesday is close to the largest ever update, which came last month, fixing 129 bugs, and is the fifth month in a row that the Redmond giant has issued patches for over 100 software flaws.
Although none of the bugs listed are known to be actively exploited in the wild, four of the critical vulnerabilities are market as “exploitation more likely.”
“While there are vulnerabilities listed in many areas this month, I cannot stress enough how important the patch for Microsoft DNS server is for this month. While restarting your DNS server or the Active Directory server it is a part of was likely not in this week’s plans, you should really consider making this patch your number one priority,” she argued.
“Since nearly everyone is running DNS with Active Directory, bad actors are likely to see the high target count this offers and develop exploits rather quickly. If you cannot patch it, at least set aside some time to deploy the workaround to protect this important part of your infrastructure until you can deploy the patch.”
The 18 critical CVEs affect Windows, IE, Office, SharePoint, .Net Framework and Visual Studio. Ivanti senior product manager, Todd Schell, said the OS, browser and Office should be prioritized, but that SharePoint, .Net and Visual Studio should not be neglected.
“Microsoft has also included Servicing Stack Updates (SSUs) for all Windows versions in this month’s updates that resolves a critical vulnerability, which is a first,” he added.
“CVE-2020-1346 is an elevation of privilege vulnerability in Windows Modules Installer that could allow an attacker to gain elevated privileges on the affected system. In this case the attacker would need to execute code on the target system. This vulnerability affects all Windows OSs including Windows 7, Server 2008 and 2008 R2.”
The US experienced far more ‘significant’ cyber-attacks than any other country in the period of May 2006 to June 2020, according to a new analysis by Specops Software, which used data from the Center for Strategic and International Studies (CSIS).
The study outlined the degree to which countries around the world are targeted by significant attacks; this is defined as those targeting a country’s government agencies, defense and high-tech companies, or economic crimes resulting in losses in excess of $1m.
It found the US faced 156 such attacks – equivalent to 11 per year – over this timeframe, while in second place was the UK at 47. This included the large-scale cyber-attack deployed across the Labour Party’s digital platforms during the 2019 general election. The country experiencing the third highest amount of significant attacks was India, at 23.
Next on the list was Germany (21), followed by South Korea (18), Australia and Ukraine (both 16). Interestingly, China, Iran and Saudi Arabia each experienced 15 of these kinds of attacks during the period studied.
The countries which have faced the lowest amount of significant attacks were North Korea (5), Turkey (6) and Vietnam (6).
Darren James, cybersecurity expert from Specops Software, commented: “No one can rest on their laurels when it comes to cybersecurity. This research highlights the frequency of cyber-attacks which have devastatingly affected key political, social and economic institutions within different countries.
“Whilst some countries have had to deal with more cyber-attacks classified as significant than others, it’s an important reminder for those in notable positions of power the role they can play in providing the public sufficient and continual governance on what best practices they can implement to prevent their IT estate from being exploited by opportunistic cyber-criminals.”
A chat app that claims to be secure has been found to be an instrumental part of a long-running cyber-espionage campaign believed to be based in the Middle East.
Researchers at ESET said claims that Android app Welcome Chat and the website promoting and distributing the app are both secure “couldn't be further from the truth.”
While functioning as a communication app, Welcome Chat was found to simultaneously be serving as spyware, harvesting data for a campaign with links to threat group Gaza Hacker, also known as Molerats.
“In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet,” said Lukáš Štefanko, the ESET researcher who conducted the analysis of Welcome Chat.
Researchers found that the app does not encrypt the data it transmits, leaving users vulnerable to exposure.
“Unfortunately for the victims, the Welcome Chat app, including its infrastructure, was not built with security in mind," said Štefanko.
“Transmitted data is not encrypted, and because of that, not only is it freely accessible to the attacker, but also to anyone on the same network.”
While posing as a secure and legitimate app, Welcome Chat was never available on the official Android app store. However, the app behaves like any other chat app downloaded from outside Google Play, requiring the setting “Allow installing apps from unknown sources” to be activated.
After installation, the app requests permission to send and view SMS messages, access files, and record audio, as well as requests access to contacts and device location. As soon as permissions are received, Welcome Chat starts receiving commands from its command and control (C&C) server, and it uploads any harvested information.
In addition to stealing chat messages, the app leaks sent and received SMS messages, call history, contact list, photos, phone call recordings, and the device’s GPS location.
ESET researchers tried to establish whether Welcome Chat is an attacker-Trojanized version of a clean app, or a malicious app developed from scratch.
“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability, but our best guess is that no such app exists,” said Štefanko.
Global cybersecurity firm Herjavec Group has acquired an identity and access management and IT security consulting firm based in the UK.
Identity management experts Doug Chin and Mike Sims founded Securience in 2014. The company drives identity and access management programs for complex global enterprises with the use of proprietary technologies for deploying and managing large-scale identity environments.
Last year, Securience won Best IAM Solution Provider UK 2019 at the AI Cyber Security Awards and was listed among the finalists in the category of Security Company to Watch 2019 by Computing Security.
Herjavec Group has offices and security operations centers across the United States, UK and Canada. The acquisition has been undertaken with the aim of expanding Herjavec Group’s existing capabilities, which have been formally recognized by Forrester, IDC and Gartner.
Herjavec said that the erosion of the traditional office work environment had heralded the need for change in cybersecurity practices.
“As more businesses shift to remote work, traditional perimeters are rapidly evaporating, fueling the growth for strong identity services and products,” said Herjavec.
“As a result of this flexible workforce environment, CIOs and CISOs are challenged with the need to safeguard access controls in order to ensure that the right people are accessing the right data and systems for the right reasons.”
Following the acquisition, Herjavec Group is now deploying Securience's proprietary tools, including staging solution and analytics tool Data Manager and Access Anywhere, which enables enterprises to externalize critical business activities such as line manager approvals, user access reviews or recertifications, or notifications of violations and issues, and the all-in-one data integration platform.
Securience's managing director, Doug Chin, said the acquisition presented an opportunity for the company he cofounded to expand.
He added: “We are excited to be able to enhance, expand, and grow our identity services across the globe. Herjavec Group is well-known in the security space, and our team is excited to be able to work with like-minded professionals that are as passionate about security as our team.”