Web traffic during Amazon Prime Day, in which 250 e-commerce merchants participated, reflected a significant uptick in the US, according to Akamai.
The fifth annual event spanned 48 hours this year, resulting in a 14% spike in web traffic. “This increase in participation and strong revenue figures mean that traffic was up as shoppers researched and purchased items. We tabulated and analyzed aggregate statistics from global online retail traffic that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points. For our baseline, we used the month of June 2018 and did not adjust for the fact that 2018 Prime Day was 36 hours vs. 48 hours for Prime Day 2019,” according to a July 25 blog post.
Interestingly, the surge in US traffic resulted in a decline in global traffic, “with the exception of LATAM, where baseline traffic increased nearly three times as much as the US,” according to the research.
Consumers are increasingly using mobile for online shopping, which was reflected in the research as well. “Looking at just Prime Day 1, the year-over-year change shows a healthy increase (12.94%) for mobile, with a decrease for desktop and a very large drop (-21.42%) for tablets,” the report said.
The report warned that retailers need to be aware of these spikes in traffic in order to prepare for future online sales and the holiday season, according to Akamai’s Chris Wraight. “Also, the growing number of shoppers who use their mobile device to research means that it is vital to present images and videos quickly, regardless of device, browser or connection speed,” wrote Wraight.
With a spike in traffic comes the additional threat of cyber-attacks. The report also found that “nearly 10 billion total bot attacks during the 48 hours of Prime Day is equal to the number of retail-specific bot attacks we detected from May to December 2018. Prime Day was very attractive to threat actors due to the high visibility of Prime Day and the larger number of retailers offering their own promotions. Detecting, correctly interpreting and remediating credential stuffing attacks needs to be a top priority of retailers, especially going into the Q4 holiday peak traffic season.”
“This year collaborations between threat actors allowed even more destructive attacks that paralyzed numerous organizations worldwide. What ends with a ransomware attack usually starts with a more silent sequence of bot infections,” the report said.
Though there was an 18% decrease in the number of global organizations impacted by crypto-miners from 2018 to 2019, the report found that there was a sharp increase in supply chain attacks. “Software supply chain attacks attracted public and government attention,” the report said.
“In such attacks threat actors inject malicious code into components of legitimate applications, victimizing a large number of unsuspecting users. The accumulation of several cases since the beginning of the year led the American government to devote special attention to this evolving threat and will soon publish official recommendations on ways to minimize the impact of such attacks.”
In addition, the vast majority (90%) of attacks leveraged older vulnerabilities that were registered in 2017 and earlier, and more than 20% of attacks used vulnerabilities that are at least seven years old, according to the research.
2019 has also seen a surge in sextortion scams and business email compromise (BEC). “This year saw the sextortion scammers doing everything possible to make their victims worried enough to pay up and avoid the publication of the alleged sexual materials. This mainly includes providing the victim’s personal credentials as evidence, which were usually leaked in previous data breaches or purchased in underground forums,” the report said.
Also on the rise are attacks targeting resources and sensitive data in public cloud environments. According to the report, “So far this year, cloud cryptomining campaigns stepped up, upgraded their technique set and were capable of evading basic cloud security products, abusing hundreds of vulnerable exposed Docker hosts and even shutting down competitors’ cryptomining campaigns operating in the cloud.”
A San Mateo, California, grand jury issued a report this week that focuses on San Mateo County’s email and online communication platforms, which are vulnerable to hijacking and propagating disinformation in the guise of election instructions or announcements.
“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public. Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report said.
In San Mateo County, the Assessor–County Clerk–Recorder and Elections (ACRE) uses email, social media and website to collect voter information directly from local election offices. Attackers hijacked the election results webpage in 2010; six years later, the county suffered a breach resulting from a spear-phishing email.
After analysis, the grand jury determined that "the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure,” according to the report.
The report goes on to make specific recommendations that include the use of FIDO physical security keys, which Satya Gupta, CTO of Virsec, said is a bit unsettling. “Two-factor authentication should be the norm for any important business transaction and is used and offered by most online services. Intercepting SMS codes with a [man-in-the-middle] attack is actually quite difficult, and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real probably seems to be county agencies using social media platforms to communicate official business. Stronger authentication may help but will not stop the torrent of false social media information we should expect during this election cycle.”
The fact that two-factor authentication isn’t already being used is very appalling to Pierluigi Stella, CTO of Network Box USA, who pointed out that "in 2019, a grand jury should not be the body that has to propose the adoption of what should be obvious security measures."
“The people running the security policies of the institutions that are in charge of the election process are not forcing the issue and ensuring the adoption of the highest security standards already. We do not need a grand jury to state the obvious. These situations baffle me to no end. Two-factor authentication may not be the ultimate solution, yes, but it surely goes a long way towards making hackers' lives miserable, hence enhancing and augmenting the element of data safety,” Stella said.
The governor of Louisiana has declared a state of emergency after ransomware attacks knocked out IT systems in three school districts.
The outages occurred in Sabine, Morehouse, and Ouachita parishes in North Louisiana, with the declaration made to ensure that cybersecurity experts from the state’s National Guard, State Police, Office of Technology Services and others are on hand to help local governments respond.
"The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since," said John Bel Edwards in a statement.
“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.”
It’s not the first time such a declaration has been made, something similar happened in Colorado in 2018 after a SamSam attack crippled local services. However, the latest incident highlights the continued threat posed by ransomware.
In South Africa, some Johannesburg residents have suffered power outages after local provider City Power was hit by ransomware on Thursday morning, local time. Customers are unable to access the firm’s website for information and suppliers are unable to log invoices, it said in a series of tweets over the past few hours.
“City Power will continue to work throughout the night to recover the systems and restore remaining applications. We are hoping that if everything goes according to plan, everything should be restored by Friday,” it said.
Ilia Kolochenko, founder of security firm ImmuniWeb, argued that this is just the beginning.
“Cities, and especially their infrastructure sites, are usually a low-hanging fruit for unscrupulous cyber-gangs. These victims will almost inevitably pay the ransom as all other avenues are either unreliable or too expensive. Cryptocurrencies make such crimes technically impossible to investigate in most cases, letting the wrongdoers enjoy impunity,” he added.
“Law enforcement agencies are already overburdened with an increasingly growing pipeline of sophisticated investigations, often aggravated by continuous lack of financing and unfriendly colleagues from foreign jurisdictions. Unless governments develop, finance and duly enforce security regulations purported to safeguard cities and municipalities, we will soon dive into a darkness, facing grave accidents involving airports and other objects of critical infrastructure.”
Voting infrastructure in all 50 US states was probably infiltrated by Russian intelligence over the past few years, according to a new Senate Intelligence Committee report.
Although there’s no evidence that any votes were changed or any voting machines were manipulated, the heavily redacted report does reveal that hacking activity began as far back as 2014 and continued into “at least 2017.”
Investigators from the FBI and Department of Homeland Security (DHS) analyzed the activity of suspect IP addresses discovered in 2016 and came to the conclusion that Russian activity was far more widespread than the 21 states previously assumed to have been targeted.
“DHS assessed that the searches, done alphabetically, probably included all 50 states, and consisted of research on general election-related web pages, voter ID information, election system software, and election service companies,” the report claimed.
“State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.”
Although there were opportunities to interfere with voting, the hackers - which displayed TTPs associated with state-sponsored Russians - appear to have chosen not to in 2016. However, this could change next time around, the report warned.
"If Russia's preferred candidate does not prevail in the 2020 election, the Russians may seek to delegitimize the election,” it argued. “The absence of any successful cyber intrusions, exfiltrations or manipulations would greatly benefit the US public in resisting such a campaign.”
Piers Wilson, head of product management at Huntsman Security, warned that hackers have a good chance of being successful in future elections, and governments must focus on improving their response.
“The operation of voter registration systems; the design, build and operation of electronic voting systems; the management of polling booths – all depend on technology and hence knowing how well defended these disparate systems are is no different,” he said.
“There will always be actors looking to disrupt the democratic process so governments must be able to react swiftly to any attacks, and have the right contingency plans in place to keep the faith of the electorate.”
Researchers have found over 23 million stolen credit and debit cards up for sale on the dark web, with US consumers by far the biggest hit.
Nearly two out of every three stolen cards on the sites trawled by Sixgill were issued in the US, amounting to more than 15 million. The next biggest hit country was the UK, which accounted for over 7%.
Tellingly, just 316 stolen cards out of the total 23 million were Russian issued. This isn’t just because many hackers are of Russian origin, but also because of the relatively low GDP of the country, making its citizens less attractive targets, the report claimed.
Although the figures are small in comparison to the five billion cards issued globally by Visa, Mastercard and American Express, fraud on these is estimated to cost US businesses and consumers around $12bn by 2020, according to separate predictions from The Nilson Report.
Threat actors are increasingly moving away from traditional dark web marketplaces to Instant Relay Chat (IRC) channels and encrypted Telegram chats, making it harder for researchers to monitor them, according to Sixgill.
“Fraudsters have a number of illicit methods they use to steal card data. They place ‘skimmers’ over the card readers on gas pumps and ATM machines. Retail workers and restaurant employees use devices to copy the swipes when they take a card for payment,” the firm continued in a blog post.
“They infect computers and other devices with malware to record payment information when their owners buy from e-commerce sites. Hackers infiltrate the networks of large companies and simply steal millions of records at a time.”
Credit card information sells for as little as $5 and comes in two main types: one including all the card details plus CVV for fraudsters to use easily online, and dumps containing magstripe data which enable cyber-criminals to create counterfeit cards.
The former is more popular as it’s easier to commit fraud online, said Sixgill. Dumps of magstripe data will likely get less popular as more retailers and consumers adopt EMV in the US.
Email remains the vector of choice for cyber threat actors with the majority of organizations citing phishing as their top perceived threat, according to a new survey from Dimensional Research and Barracuda Networks.
With the rise of more complex, advanced threats, such as account hijacking and spear-phishing, the majority of organizations have faced attacks in just the last year, according to a survey of more than 600 IT professionals responsible for corporate email security.
“On average, more than four-fifths (82%) of organizations claim to have faced an attempted email-based security threat in the past year, although the figures differ slightly by global region,” the report said.
The survey results revealed that despite growing confidence in security measures and awareness, concerns over phishing continue to rise, particularly given the reality that attack methods continue to evolve and target victims with social engineering. Nearly all (93%) of respondents said they are worried about business email compromise (BEC). With the prevalence of BEC and account takeover attacks, 79% of organizations are concerned about potential insider threats and other account hijacking attacks.
Oddly, 63% of organizations also reported that they feel more secure than ever. The report noted that organizations should treat this feeling of confidence with caution. “If an organization lacks the tools to accurately detect threats, it may have a false sense of security. APAC companies are the most likely to feel their security has improved, while EMEA companies are the least likely,” the report said.
When asked about the impact of email threats, 48% of participants said they had a loss of employee productivity and 36% said they experienced downtime and business disruption. When asked about breaches, 78% of participants confessed that that breach costs are also increasing, both monetary- and productivity-wise.
The survey also found a pitfall in terms of security spend. “Organizations are clearly under-investing in tools designed to protect email beyond the traditional security gateway. Just a quarter or fewer had automated incident response, dedicated spear-phishing protection or tools to prevent account takeover.”
Police officers from the UK and the Netherlands announced a new campaign that would allow first-time cybercrime offenders to learn from their mistakes through a program called Hack_Right, according to Cyberscoop.
At the International Conference on Cybersecurity at Fordham University, the joint forces discussed the program that is intended to help young offenders who may not understand the severity of their crimes. Geared toward hackers between the ages of 12 and 23 years old, Hack_Right would allow youngsters to avoid the legal consequences of their crimes by participating in a program focused instead on educating teens.
“We do this…to get out and find them and get them into computing clubs before we have to investigate someone and lock them up,” Gregory Francis, acting national prevent lead at the National Cyber Crime Unit of the National Crime Agency, reportedly said. “[Cybercrime] is not a law enforcement problem. It’s a societal problem.”
The program includes a community service project that requires 10 to 20 hours of ethical computer training and engaging in conversations with professionals who can discuss possible career paths and education opportunities based on their interests.
“We should welcome any opportunity to show ‘at risk’ hackers ways in which they can use their skills for good, such as helping secure the internet,” said Ben Sadeghipour, head of hacker operations at HackerOne.
“I think the best way to educate the younger generation to do the right thing is to show them the benefits of being a white hat, since now you can get the same fame, notoriety and money as black hats used to, without the risk of going to prison. Encouraging young hackers to use their skills for good is what we’re about at HackerOne. We have hundreds of thousands of hackers on our platform, and nearly 54% of them are under the age of 24. We believe that bug bounty programs provide an environment in which young hackers can safely hone their skills while earning real money from it.”
A cyberattack campaign using malicious RTF documents has been targeting government IT agencies in Eastern Asia, according to research published today by Proofpoint.
Dubbed Operation LagTime IT, the malicious documents delivers custom Cotx RAT malware to tech agencies responsible for overseeing government network infrastructures. Proofpoint has attributed the campaign to the Chinese threat group known as TA428. Researchers believe the likely motivation is conducting espionage on capabilities like 5G and establishing a beachhead for future attacks.
“Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT,” researchers wrote in today’s blog post.
According to the research, the malicious RTFs were first delivered via Yahoo accounts and came from senders whose names closely mirrored those within the targeted entities. The email subjects were crafted with convincing IT-related themes relevant to government or public training in Asia.
“On one specific occasion an email utilized the subject 'ITU Asia-Pacific Online CoE Training Course on "Conformity & Interoperability in 5G" for the Asia-Pacific Region, 15-26 April 2019' and the attachment name '190315_annex 1 online_course_agenda_coei_c&i.doc.' The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries,” researchers wrote.
"Op LagTime IT is a continuation of a long-running Chinese espionage campaign which is intended to satisfy intel requirements on its regional neighbors,” said Kevin Epstein, vice president, threat operations, at Proofpoint. “The targeting of government IT agencies is both expected and significant as China continues to expand the global footprint of its communications technologies."
AT&T will be forced to defend itself in court after a judge refused to throw out a $224m lawsuit alleging the firm is liable for handing over the defendant’s SIM card to hackers.
The telco giant is in the dock after entrepreneur Michael Terpin was hit by a classic SIM swap attack, in which hackers persuaded an AT&T agent in a Connecticut store to transfer his mobile phone number to a new SIM.
They were then able to intercept one-time passcodes sent via text to unlock Terpin’s cryptocurrency accounts and drain it of funds worth an estimated $24m.
In August last year, Terpin’s lawyers filed 16 counts of fraud, including gross negligence, invasion of privacy, unauthorized disclosure of confidential customer records, violation of a consent decree, and failure to supervise its employees and investigate their criminal background.
More broadly, Terpin is arguing that AT&Ts contract is too one-sided.
“Mr Terpin’s claim seeks to declare AT&T’s wireless customer agreement as unconscionable, void against public policy, and unenforceable in its entirety,” presiding judge Otis Wright said. “Specifically, he objects to the exculpatory provision that exempts AT&T from liability from its own negligence, acts or omissions of a third party, or damages or injury caused by the use of the device.”
Wright ruled that Terpin’s lawyers had “sufficiently alleged” that AT&T may have violated the Federal Communications Act by allowing unauthorized access to their client’s accounts – meaning the $224m lawsuit will proceed.
“Judge Wright strongly repudiated AT&T’s audacious bid to prevent Michael from demonstrating to a jury the carrier’s contempt for consumers’ privacy and utter disregard of its legal obligations to prevent this very type of SIM swap and financial crime,” noted Terpin’s lead counsel Pierce O’Donnell. “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”
The case will be watched eagerly by other telco providers as SIM swapping becomes increasingly commonplace.
It’s believed that Terpin’s nemesis on this occasion was a gang led by New Yorker Nicolas Truglia, the arrested “Bitcoin bandit” who used phishing techniques and fake ID documents bought on the dark web to con telco support operatives into porting customer phone numbers.
Paul Dunphy, research scientist at OneSpan’s Innovation Centre, said the attacks also raise serious questions about the use of SMS in multi-factor authentication (MFA).
“The result of this court case will have big implications for designers of multi-factor authentication, and it will be interesting to see how mobile networks evolve the security of their number porting process in future,” he added. “I’d advise that for high value accounts individuals should avoid using SMS for multi-factor authentication, especially for cryptocurrency.”
A group of anonymous researchers have outed the APT17 cyber-attack group (aka DeputyDog) as a Chinese Ministry of State Security (MSS) operation, potentially paving the way for more US indictments.
Intrusion Truth have been right before, when they identified APT3 and APT10 as MSS groups: the former operated by a contractor known as Boyusec. These revelations led to Department of Justice indictments against some of the groups’ members in 2017 and 2018.
Now Intrusion Truth has identified a likely MSS officer, Guo Lin, who studied information security to Masters level and is affiliated with four private technology companies in the eastern city of Jinan.
The group also identified two hackers from Jinan – Wang Qingwei, who works at one of those four tech firms, and Zeng Xiaoyong (aka “envymask”).
Zeng is said to have submitted code used in a popular Chinese APT hacking tool known as ZoxRPC, which was subsequently developed into a newer tool, ZoxPNG (aka BLACKCOFFEE) by another Jinan hacker, Zhang Peng. ZoxPNG became a key part of multiple APT17 hacking campaigns, the blog post continued.
“Either, one of the authors of code in APT17’s primary malware just happens to be associated with a series of cybersecurity outfits that claim the MSS as their clients and are coincidentally managed by an MSS officer,” concluded Intrusion Truth. “Or, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.”
China’s MSS is a sprawling, powerful intelligence agency that can be thought of as a combination of the FBI and CIA. That is, it deals with domestic affairs and foreign intelligence operations.
It is believed that hacking operations have increasingly been shifted from the PLA to this agency over the past few years, as attacks become more sophisticated.
Washington is increasingly prepared to name and shame officers in indictments, although there’s little chance of them ever facing justice. This happened with charges issued in October last year related to a conspiracy to steal aviation secrets.
In a rare moment, US officials managed to arrest an alleged MSS officer in that same month, in connection with another plot to steal aviation secrets.
Facebook has set out plans for a radical overhaul of its internal processes to foreground user privacy, in the wake of its record FTC fine.
The social network was slapped with a $5bn penalty by the US regulator following mistakes it made which led to personal data on 50 million users and their friends being used by shadowy political consultancy Cambridge Analytica without their knowledge.
It has been argued that the data was used to try and influence the outcome of the Brexit referendum and the 2016 US Presidential election.
In a blog post on Wednesday, general counsel Colin Stretch outlined the steps Facebook is taking to build a security and privacy-by-design culture “on a different scale than anything we’ve done in the past” – with transparency and accountability front-and-center.
“It introduces more stringent processes to identify privacy risks, more documentation of those risks, and more sweeping measures to ensure that we meet these new requirements,” he said. “Going forward, our approach to privacy controls will parallel our approach to financial controls, with a rigorous design process and individual certifications intended to ensure that our controls are working — and that we find and fix them when they are not.”
Privacy protections will be built into every product, with any risk documented and resolved, and more monitoring and reporting obligations placed on the firm. There will be detailed quarterly reports to verify compliance signed by Mark Zuckerberg and with executive accountability throughout.
An independent privacy assessor will report to a new board committee each quarter and the FTC, to ensure the firm is living up to its commitments.
“We expect it will take hundreds of engineers and more than a thousand people across our company to do this important work, and we expect it will take longer to build new products following this process going forward,” said Zuckerberg in a statement.
“Overall, these changes go beyond anything required under US law today. The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone.”
Although the measures go beyond US law, they chime very much with the expectations of GDPR regulators – highlighting again that the EU law is leading the way globally in terms of privacy legislation.
In fact, it’s likely to work in Facebook’s favor in the long-run if it can effectively roll-out a single privacy regime across its entire global operations.
The latest edition of nonprofit VideoLAN’s VLC media player software has what Germany agency CERT-Bund is calling a serious security flaw that allows hackers to install and run software without user knowledge, according to NewsX.
“This is just one in a long and constant stream of flaws in VLC. I absolutely would not recommend that anyone access untrusted content with VLC due to the high risk of memory corruption vulnerabilities. In general, VLC does not have a good reputation in the security industry as they regularly will leave vulnerable pre-compiled executables for download despite having patched them in the latest source code," said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). “Video players are a frequent target for file format exploits due to the inherent complexity of parsing multimedia files.”
If exploited, an attacker could gain remote access and potentially disclose information, manipulate files or create a denial-of-service state. According to NIST’s National Vulnerability Database, the vulnerability CVE-2019-13615 in the media player “has a heap-based buffer over-read.”
This isn’t the only VLC issue disclosed this month, according to Larry Trowell, principal consultant at Synopsys. “There have been four recent vulnerabilities disclosed that are loosely related to the same area of code. While the issue is serious, using the CVSS 3.0 standard to rate the severity of a vulnerability can be a bit misleading as issues tend to rank higher than in version 2. Using the CVSS 2.0 scale, this vulnerability ranks as a 7.5,” Trowell said.
Because the user has to voluntarily interact with the attack mechanism, Trowell said the attacker can’t initiate. “It’s easy to make a corrupted stream, but the trick is getting a user to play it. Also, this attack doesn’t give an attacker any extra privileges.
“There are not a lot of people who are playing random videos they get off the internet as the root/admin user on their computers. This attack can only be triggered with user interaction: the user has to either download a malicious file or open a stream that is streaming said files,” Trowell said.
As a result, a malicious actor would be dependent on the user searching out and opening a corrupted file. Trowell noted that this could be accomplished with a phishing campaign, but “it seems like in most cases the video sent would be opened with the internet browser or the email client, not VLC.
“Video parsing is hard to do correctly. There is a reason that a number of issues have been found and a reason why a correct patch will take time to implement and test. I do not know when the finding was announced to VLC or if any time was given to fix the issue before it’s announcement, and that should be taken into account when criticizing the company for not having a fix ready,” Trowell added.
After analyzing proprietary research and data derived from the volume of malicious activity on the internet, the report found that cyber-criminals cost the global economy $2.9 million every minute last year, for a total of $1.5 trillion.
Major companies are paying $25 per internet minute because of security breaches, while hacks on cryptocurrency exchanges cost $1,930. Criminals are leveraging multiple tactics, from malvertising to phishing and supply chain attacks. The loss from phishing attacks alone is $17,700 per minute. Global ransomware events in 2019 are projected to total $22,184 by the minute.
"As the scale of the internet continues to proliferate, so does the threat landscape," said Lou Manousos, CEO of RiskIQ, in today’s press release. "By compiling the vast numbers associated with cybercrime in the past year, we made the research more accessible by framing it in the context of an 'internet minute.' We are entering our third year defining the sheer scale of attacks that take place across the internet using the latest third-party research and our own global threat intelligence so that businesses can better understand what they're up against on the open web."
Cyber-criminals have also increased their targets on e-commerce with Magecart hacks, which grew by 20% over the last year. The study found 0.21 Magecart attacks were detected every minute. The data also revealed that in each internet minute 8,100 identifier records are compromised, seven malicious redirectors occur and 0.32 apps are blacklisted. In addition, the research found 2.4 phish traversing the internet per minute.
“Without greater awareness and an increased effort to implement necessary security controls, there will be more attacks using an ever-expanding range of technologies and strategies,” Manousos said. “With the recent explosion of web and browser-based threats, organizations should look to what can happen in a matter of minutes and evaluate their current security strategy. Businesses must realize that they are vulnerable beyond the firewall, all the way across the open internet."
Though antivirus software is used to protect PCs and other devices from unknown malware and threats, Comodo – which has over 85 million desktop software installations across more than 700,000 business customers – is riddled with vulnerabilities that would ultimately grant an attacker complete control over the machine. Researchers discovered a sandbox escape and a privilege escalation to SYSTEM, according to today’s blog post. An attacker could even disable the antivirus altogether, leaving the device unprotected and vulnerable, researchers explained.
“Comodo uses many IPC mechanisms between its various AV components: Filter Ports, Shared Memory, LPC, and COM,” wrote Tenable’s David Wells.
“We happen to know Comodo has the capability to invoke scan jobs from low-privilege processes such as explorer.exe (via it’s Context Shell Handler – (the menu that appears when user right clicks)) or Cis.exe (Comodo client GUI). These scan jobs are executed by invoking routines in CAVWP.exe which runs as SYSTEM.”
In total, researchers discovered five different vulnerabilities, which are demonstrated in a proof-of-concept video that illustrates the risks.
Researchers wrote that they had disclosed the vulnerabilities to Comodo on April 17. The company confirmed some of the vulnerabilities on May 7, adding that it is awaiting confirmation of others. According to the disclosure, Tenable followed up to request a status update several times before Comodo reported on June 7 that the “LPE vulnerability is partially due to Microsoft's fault.”
On July 8, Tenable asked for a status update on when fixes would be released. As of the July 22 disclosure, researchers had not been made aware of a patch to address these vulnerabilities. In an email to Infosecurity, a Comodo spokesperson wrote, "There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."
Sky customers have been advised to reset their passwords as a security measure.
In an email sent to a number of its customers, the company wrote: “At Sky we take the security of your data and information extremely seriously. To help keep your account safe we have reset the password for your Sky account.”
Sky confirmed on Twitter that the message is genuine and prompted receivers to follow the link to reset their password, although the reason behind the reset remains unclear.
“The latest news regarding password resets occurring for email accounts with sky.com, as so-called ‘precautionary measures’ that have been taken, indicates that the incident is ongoing and possibly the root cause is still unknown,” said Joseph Carson, chief security scientist & advisory CISO at Thycotic.
“If indeed this was a credential stuffing cyber-attack, then there would be an indicator of a high number of failed log-in attempts, hopefully resulting from some users following best practices by not using the same password across multiple accounts. This is what credential stuffing is trying to abuse using an automated process.”
Sky needs to be following incident response best practices and treating this incident as serious because, in many cyber-incidents, you tend to uncover more serious data breaches when you start looking harder, Carson added. “Sky customers should really start using password managers and two-factor authentications to ensure that a password is not the only security protecting sensitive data.”
The NSA has announced a new unit tasked with taking on foreign adversaries like Russia and China in cyberspace.
The Cybersecurity Directorate, which will be operational from October, is to be led by Anne Neuberger. She previously led an NSA unit known as the Russia Small Group which was set up to manage the threat from Kremlin hackers during the recent mid-terms.
It will reportedly “unify NSA's foreign intelligence and cyber-defense missions and is charged with preventing and eradicating threats to National Security Systems and the Defense Industrial Base.”
NSA director and Cyber Command boss Paul Nakasone announced the new directorate at a speaking engagement at Fordham University.
“We have two missions and for a number of years, NSA has been very active in what was called the information assurance mission. We are re-emphasizing that mission under the Cybersecurity Directorate under Anne Neuberger's leadership,” the agency said in a series of live tweets from his speech at the event.
“The Department of Defense can’t wait for our adversaries to come to us. Working with our allies, we will defend forward. It’s a strategy that now accepts the fact that we have to get involved early on. The American public should rest assured that there will be consequences for taking the US on.”
The threat to national security from state-sponsored attackers has never been greater – whether it’s sabotage of smart systems and operational technologies, theft of sensitive military and other IP, breaches of information on key personnel or interference in elections.
Given that critical infrastructure is mainly run by private companies, attacks are often targeted at this sector.
Just last week, Microsoft revealed that it had warned 10,000 customers they had been targeted by nation state attacks over the past year. This included 742 political organizations including NGOs and think tanks, with 95% of them based in the US.
If there are attempts by foreign nations to disrupt the 2020 US Presidential election, preparations will certainly be well underway by now.
Security experts are warning of a new tactic used by BEC attackers, as new stats reveal that businesses on average receive five scams each month.
The latest technique involves scammers impersonating CEOs, not to demand a fund transfer but instead a list of customers who owe the company money, according to Agari threat researcher James Linton.
This “aging report” or “schedule of accounts receivable” is held by every accounting department as an essential way to manage unpaid invoices and credit memos.
However, if the victim falls for the scam and hands the list over to the attacker, they’re unwittingly providing them with a valuable piece of intelligence.
Once the aging report has been received, the scammer typically asks for email addresses of all the customers on it. They can then email these companies pretending to be a member of the finance team requesting the outstanding balance listed on the report be paid, explained Linton.
“The scammers will likely offer incentives for them to resolve their ‘debts’ more quickly, such as reducing the amount they owe if they settle their outstanding balance immediately,” he said.
“The actor is then only left to inform the payee that there has been a recent change of banking details and provide them with updated account information for an account controlled by the criminals.”
He warned that this type of scam is arguably more disruptive than a regular BEC attack because it requires the affected company to contact all their customers to warn of a potential threat.
The news comes as new figures emerged from Symantec revealing that an average of 6029 organizations were targeted by BEC emails each month during the past 12 months.
The top five countries targeted were the US (39%), the UK (26%), Australia (11%), Belgium (3%) and Germany (3%).
The UK government has further delayed its decision on whether to allow Huawei to supply key equipment for the country’s 5G networks, as it seeks to clarify Washington’s strategy.
The culture secretary, Jeremy Wright, claimed yesterday on announcing the Telecoms Supply Chain Review, that it would not be “sensible, helpful or responsible” to make a final decision yet.
In a statement, his department had the following:
“The government continues to consider its position relating to high risk vendors. Following action by the US Department of Commerce and uncertainty around the implications for the telecoms market as a whole from the entity listing, the government is further considering its position relating to high risk vendors. Decisions in this area will be made in due course.”
It may be waiting a long time for a coherent strategy from the US, given that Donald Trump seems to be wavering between the hard-line approach supported by Congress, and using Huawei as a bargaining chip in his ongoing trade war with China.
Most recently, his administration appeared to row back on tough sanctions which would prevent US companies from selling Huawei key components – a move which would have crippled the company. Instead, US firms will be allowed to sell parts that are generally available elsewhere.
At Infosecurity Europe this year, National Cyber Security Centre (NCSC) boss Ciaran Martin, repeated the arguments used by himself and GCHQ over the past year: that Huawei possesses no intrinsic national security risk because it is a Chinese company.
He argued that the focus should be on building 5G networks that are secure whatever the supplier – something that the supply chain review focuses on with a new framework and series of requirements for telecoms players.
GCHQ experts have in the past raised serious concerns about the quality of security processes at Huawei, which could in themselves be a national security threat if exploited by third parties.
In April, it was revealed that Theresa May’s government had decided to allow Huawei to supply non-core parts of 5G networks. Her successor, Boris Johnson, will now be urged by all parties to make a swift decision.
Dmitry Kurbatov, CTO of security company Positive Technologies, claimed banning Huawei outright would lead to extra cost and delays.
“Huawei is already embedded so much in the 5G ecosystem, mainly because many mobile network operators have already purchased or ordered Huawei equipment,” he added.
“This issue can’t be solved with a solution as idealistically simple as just swapping it for an alternative vendor immediately. There is also the additional cost of delaying deployments, as companies had already tested 5G equipment, chosen Huawei, and were ready to buy. If Huawei is taken away as an option, this whole process – including testing – would have to be started all over again.”
The financially motivated threat group known as FIN8 has recently reemerged after being somewhat dormant, according to new research from Gigamon’s applied threat research (ATR) team.
Researchers have published findings that show FIN8 continues to evolve and adapt its tools. As part of the threat research, ATR discovered a reverse shell from FIN8, dubbed BADHATCH, while observing variants of the ShellTea implant and PoSlurp memory scraper malware. In the report, ATR also compares BADHATCH to other popular malware variants, such as PowerSniff.
“The BADHATCH sample begins with a self-deleting PowerShell script containing a large byte array of 64-bit shellcode that it copies into the PowerShell process’s memory and executes with a call to CreateThread. This script differs slightly from publicly reported samples in that the commands following the byte array are base64 encoded, possibly to evade security products. While previous analyses saw PowerSniff downloaded from online sources and executed, Gigamon ATR incident response partners recorded the attackers launching the initial PowerShell script via WMIC,” researchers wrote.
In its initial stage, BADHATCH locates the embedded DLL in order to execute the injection, which creates a local event job. “On startup, and every 5 minutes thereafter, the sample beacons to a hardcoded command and control (C2) IP (149.28.203[.]102) using TLS encryption, and sends a host identification string derived from several system configuration details and formatted as %08X-%08X-%08X-%08X-%08X-SH. Only the one hardcoded IP address and no C2 domains were observed,” the report said.
BADHATCH reportedly contains no methods for sandbox detection, differentiating it from PowerSniff. Additionally, “it includes none of the environmental checks to evaluate if it is running on possible education or healthcare systems and has no observed built-in, long-term persistence mechanisms.”
One of the more important tools in the FIN8 toolkit is the component that retrieves credit card numbers as they pass through payment-card processing systems, the report said. Breaking down FIN8’s information collection process, the researchers explained that the malicious actors first deploy the non-persistent BADHATCH reverse shell to the server and then issue commands to each POS system in a target list before executing the PoSlurp.B PowerShell script.