Lancaster University has confirmed that it was “subject to a sophisticated and malicious phishing attack” which resulted in breaches of student and applicant data.
This has led to undergraduate student applicant data records for 2019 and 2020 being accessed, including names, addresses, telephone numbers and email addresses. Lancaster confirmed in its statement that it was “aware that fraudulent invoices” were being sent to some undergraduate applicants and has warned applicants to be aware of any suspicious approaches.
Also breached was Lancaster’s student records system. “At the present time we know of a very small number of students who have had their record and ID documents accessed,” it confirmed.
Its statement said that it “acted as soon as we became aware that Lancaster was the source of the breach on Friday” and immediately reported the issue to the Information Commissioner’s Office.
“Since Friday we have focused on safeguarding our IT systems and identifying and advising students and applicants who have been affected,” it said.
A spokesperson for the Information Commissioner’s Office said that the incident had been reported to them, and it was currently assessing the information provided.
The news follows the announcement that over 60 US colleges had been compromised after hackers exploited a vulnerability in popular ERP software.
Ed Macnair, CEO of Censornet, said that this proves how targeted cyber-criminals are becoming in their hacking methods, and how any and all sectors are now at constant risk. “The attack happened through the ever persisting phishing method,” he said. “This kind of data allows criminals to carry out attacks like credential stuffing, where hackers attempt to log in to a number of an individual's accounts with the intent to access card details that have been linked to certain accounts.
“This attack highlights how absolutely any organization is now vulnerable to being hacked, so more vigilance, education, and sophisticated protection is required.”
Iranian threat actors are believed to be behind a phishing campaign that is masquerading as a member of Cambridge University to target users of LinkedIn, according to FireEye.
“In June 2019, FireEye devices detected a large phishing campaign from APT34 targeting Middle East critical infrastructure, telecom, and oil and gas entities. This campaign is consistent with the overall Iranian targeting of the energy sector that we’ve seen dating back to at least 2012. Further, this activity is representative of Iran's overarching efforts to collect strategic information of relevance to its national interests. With increasing geopolitical tensions between the U.S. and Iran and the introduction of new sanctions, we expect Iran to continue to increase the volume and scope of its cyber-espionage campaigns," FireEye's principal analyst, cyber-espionage analysis, Cristiana Brafman Kittner wrote in an email.
In addition the behavior aligns with elements of activity reported as OilRig and Greenbug by various security researchers who have attributed those attacks to APT34. "This threat group has conducted broad targeting across a variety of industries operating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial, energy, and government entities,” researchers wrote.
Victims received a message from Rebecca Watts, a specious member of the research staff at Cambridge University.
These types of attacks have been seen across social media platforms, whereby criminals attempt to gain a foothold into the network or infrastructure by inducing users to click on malicious links or to download compromised files.
“Organizations and nation-states should be prepared for what is already to all intents and purposes a war. Cybercrime, much like any other form of criminal activity, is either motivated by monetary gains or by political interests, or – more often – by both,” said DomainTools’s senior security advisor Corin Imai.
“Both private and public organizations should be investing in their employees’ cybersecurity training. As threats continue to evolve, having a solid foundational understanding of the best practices to stay safe online is the most effective way to create a first line of defense. In the current climate, organizations can no longer compromise on their security efforts, which should be holistic and account for both technical vulnerabilities and for human ones,” said Imai.
More than 40% of UK organizations believe cyber-attackers can infiltrate their networks at every attempt, according to new research from CyberArk.
CyberArk surveyed 1000 global organizations and detailed its findings in the CyberArk Global Advanced Threat Landscape Report 2019. The firm discovered that while UK organizations view privileged access security as a core component of an effective cybersecurity program, understanding has not yet translated to action.
For example, only 45% of those polled have a privileged access security strategy in place for protecting business critical applications and cloud infrastructure respectively, with even fewer having a strategy for DevOps (28%) or IoT (20%).
What’s more, only 17% of respondents understood that privileged accounts, credentials and secrets exist in containers.
UK organizations ranked hackers (74%), organized crime (57%), hacktivists (46%) and privileged insiders (42%) among the greatest threats to critical assets.
Rich Turner, SVP EMEA, CyberArk said: “These findings are sober reading for businesses and cybersecurity practitioners. Despite the vast sums being spent on cybersecurity, it’s clear that businesses have very little confidence in their ability to defend themselves from cyber-attacks, protect their most critical assets, or their value creation activities. UK businesses need to be on the front foot with security, know what is most valuable to them, how it may be attacked and how to protect it while ensuring their cyber-strategy supports collaboration and innovation.
“Proactive cybersecurity strategies have to be implemented wherever critical data and assets live, specifically to manage and secure the privileged credentials that are fundamental to their operation. This is the most valuable step security teams can take to support wider business initiatives in today’s digital economy.”
Passwords continue to be a top security challenge for organizations, with penetration testers revealing that they can easily guess passwords in the majority of their engagements, according to the 2019 Under the Hoodie report published by Rapid7.
The new report, which documents the results of 180 pen tests carried out from September 2018 through May 2019, highlights the most common external and internal weaknesses present in companies. Sample findings showed that password management continues to be a problem. In 72% of engagements hackers were able to compromise one password. Of those, 60% were easily guessed passwords.
In its fifth year, the report shows year-over-year progress. The data suggests that basic network segmentation controls between internal and external networks are generally effective, particularly when looking at migration to the cloud for externally accessible resources.
In only 21% of the attempts at an externally based engagement were hackers able to gain internal LAN access. The numbers decreased significantly for web-application–specific engagements, where hackers were rarely to never successful (under 3%) at achieving a total site-wide compromise. Over 70% of web applications were hosted somewhere other than the client's data center, making an attacker’s path far more complex.
“The traditional 'external compromise' test, where the client wants to ferret out their weaknesses and exposures that are exposed to the general internet, is the most popular scoping choice, accounting for just about 40% of the engagements surveyed,” according to the report.
“This makes sense, since most clients are concerned about external bad actors – the criminal hackers that don't already have some reach into the internal network and are seeking some kind of leverage over the target to execute whatever criminal enterprise they're involved in.”
Once attackers gain a foothold, the next task is to leverage access to more and better systems across the internal network. Increasingly attackers are veering away from using PowerShell to gain a foothold because its restrictions are “becoming increasingly common in enterprise Windows networks, and while attackers got a lot of mileage in years past with PowerShell, those techniques seem to be falling by the wayside in 2019,” the report said.
Huawei secretly helped North Korea build and maintain its 3G mobile network, potentially breaking US sanctions in the process, a new report has sensationally claimed.
A former employee leaked sensitive internal documents to The Washington Post, allegedly revealing a number of projects related to building out 3G in the hermit state. The documents are said to refer to North Korea, and countries like Iran and Syria, by code.
Huawei is reported to have partnered with Chinese state-owned firm Panda International Information Technology on the projects.
The Shenzhen giant has hit back at the claims, arguing that it has “no business presence” in North Korea.
“Huawei is fully committed to comply with all applicable laws and regulations in the countries and regions where we operate, including all export control and sanction laws and regulations of the UN, US, and EU,” a statement from the firm noted.
Huawei has been at the center of a growing conflict between the US and China over trade and national security. Its activities conflate the two issues, because some US lawmakers believe it has gained an unfair advantage on the world stage over the past few years, and that its 5G networks pose a security risk.
Donald Trump declared a national emergency in May 2019 in a move designed to prevent Chinese tech companies from building the country’s 5G networks.
At the same time, the US put Huawei on a potentially crippling entity list, preventing US firms from selling it's key components. Trump has since rowed back on this threat, saying the US will provide parts where they are already generally available.
Although the President seems to be using the firm as a bargaining chip in his trade discussions, the latest revelations may force more punitive action from Washington, with Congress calling for a tougher approach.
Huawei is already facing a 13-count indictment for breaching sanctions on Iran, for which its CFO Meng Wanzhou faces extradition, and a 10-count indictment over theft of intellectual property from T-Mobile.
The average global cost of a data breach has risen again, with experts at IBM claiming the financial impact can be felt for years after an incident.
The computing giant’s annual Cost of a Data Breach study has become a useful way to measure the impact of serious data loss on the bottom line.
The headline figure has risen from $3.86m to $3.92m over the past year, and in total by over 12% over the past five years, IBM claimed. However, in the US it is more than double this figure, at $8.19m.
Smaller companies with fewer than 500 employees suffered losses on average of over $2.5m, a potentially fatal sum. Mega breaches of over one million records cost $42m, while those of 50 million records are estimated to cost companies $388m.
For the first time, IBM measured the financial impact of a data breach over several years. It found that on average 67% of data breach costs were realized within the first year after a breach, but over a fifth (22%) accrued in the second year and another 11% did so more than two years after the initial incident.
Organizations in highly regulated environments like healthcare and financial services were more likely to see higher costs in the second and third years, it claimed.
Malicious breaches accounted for the majority (51%) of cases, up 21% over the past six years, and cost firms more – on average $4.45m per breach. However, accidental breaches accounted for nearly half (49%) of all incidents, with human error ($3.5m) and system glitches ($3.24m) costing slightly less than the global breach average.
For the ninth year in a row, healthcare organizations suffered the highest cost of a breach – nearly $6.5m on average.
IBM claimed that extensively tested incident response plans can minimize the financial impact of a breach, saving on average $1.23m.
Other factors affecting the cost of a breach include how many records were lost, whether the breach came from a third party and whether the victim organization had in place security automation tech and/or used encryption extensively.
“Cybercrime represents big money for cyber-criminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line – and focus on how they can reduce these costs.”
London’s Metropolitan Police has admitted that its public-facing news platform was compromised last Friday evening, leading to the publication of a string of offensive messages on Twitter.
Observers first noticed something was wrong after the Met’s Twitter feed, which has over one million followers, started to issue some bizarre messages at around 11pm.
These included missives such as “F*** THE POLICE FREE DA GANG!!,” “what you gonna do phone the police?,” and “XEON IS THE BEST FIGHTER IN SCOTLAND.”
It was later revealed that the incident wasn’t related to a compromise of the police force’s Twitter account but rather its Mynewsdesk platform.
The Met apologized to its subscribers and followers for the messages – which continued for the best part of an hour.
“The site is a micro site that is used to publish and distribute news from the Metropolitan Police. It can be used to generate emails and to send Tweets as well as publishing stories. The unauthorized content was sent out on Twitter and via email as well as appearing on the news site,” it explained in a statement.
“In response to the incident we are working closely with Mynewsdesk and specialist Met cyber-crime investigators to fully understand what has occurred and if there are criminal offenses. Immediate changes have been made to our accounts in response to the incident. There has been no compromise of the Met Police’s IT network.”
Donald Trump blamed London mayor Sadiq Khan for the incident, after retweeting a post by right-wing commentator Katie Hopkins.
The Met was also forced temporarily to use its @MPSOnTheStreet Twitter account rather than the main @MetPoliceUK account, while it sorted the problem out.
The incident is a reminder for organizations to improve log-in security across public-facing sites, according to Stuart Sharp, global director of solution engineering at OneLogin.
“Whether it is marketing departments, sales teams, or DevOps, it is all too easy to start using a service and then just share credentials among a team. These passwords exist on Post-It notes, spreadsheets and emails and it seems that no one ever changes the password when a team member leaves the organization,” he argued.
“IT needs to communicate the security implications of using these services to line of business in an uncontrolled manner. Technically it’s not hard to do – organizations just have to take security more seriously.”
The Chinese government is enabling law enforcement and military to monitor citizen behavior through advanced artificial intelligence and video surveillance, according to Charity Wright, former NSA and cyber threat intelligence analyst, IntSights Cyber Intelligence, who presented at the Asia Pacific & Japan 2019 RSA Conference.
In her presentation, Dark Consequences: How New Laws Are Impacting the Cyberthreat Landscape, Wright said the Chinese government has developed and implemented technology that can recognize people by their facial features and movements, eye color, hair color and distinct marks in an effort to increase national security. “This technology is implemented through millions of cameras across the nation and in airports and is allegedly able to find an individual in real time and send location information to law enforcement,” Wright wrote in an email to Infosecurity Magazine.
Additionally impacting the cyber-threat landscape is Vietnam’s Cybersecurity Law of 2017, which, Wright explained, “allows the government to collect data, including encrypted data within its borders and internet infrastructure, and forces companies in Vietnam to allow the government access to all data.”
The law also limits the content allowed within Vietnam and enables the government to secure the nation against foreign and domestic threats to the people and the regime, with a focus on cyber-threats from criminals and advanced nation-state actors, Wright said.
As many of these laws enforce limitations of how citizens can use the internet, the information they can access and what business they are allowed to do, Wright said, “Some restrictions incite fear of being constantly monitored by technology and government forces and push users to the dark web for anonymity in their internet use. Many people are flocking to cryptocurrency forums and dark web tutorials for advice on how to stay anonymous, how to not be tracked by their government and how to use alternate currencies. As usership in dark web forums grow, business grows. The deep web is often a gateway to criminal forums and markets that clear-web users would not be exposed to.”
A fake Office 365 site created by malicious actors has been discovered distributing a password-stealing Trojan, according to MalwareHunterTeam.
Disguised as Chrome and Firefox browser updates, the site is actually sharing the TrickBot Trojan.
The above sample of one of the links appears to be legitimate, but the site quickly alerts the user that the browser needs to be updated, according to BleepingComputer. Clicking on the update button then launches an executable that installs the Trojan, the report said.
"Chrome is the leading browser, with 63% of web users, which translates to billions of users. With Chrome removing the XSS Auditor, web applications are now at risk of delivering a poor user experience. More users are potentially vulnerable to client-side injections due to that lack of alternatives,” said Deepak Patel, security evangelist at PerimeterX.
“Also, most users are unaware of the security implications of XSS Auditor removal," he continued. "As a result of the change in Chrome, web application owners now have to take a hard look at client-side protection to preserve the user's intended path on their web properties. There is also an explosion in the use of third-party code/libraries in any modern application amplifying the client-side threats. The e-commerce, travel and hospitality, and retail verticals, in particular, need to protect their brand reputation. There is a good chance, with Chrome removing XSS Auditor, that bad actors will cash in and infect more users and web visitors. It is time to bolster application security with client-side protection and advanced bot management and mitigation. It is imperative for application owners to take control of the third-party code that runs on the users’ browser. "
Users are being warned to avoid installing browser updates prompted from pop-up alerts.
In a settlement between Equifax and the United States, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), Equifax will pay $575 million for damages related the to 2017 data breach, according to today’s press release.
The allegations against Equifax claimed that the company failed to take “reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people,” the release stated.
“In its complaint, the FTC alleges that Equifax failed to secure the massive amount of personal information stored on its network, leading to a breach that exposed millions of names and dates of birth, Social Security numbers, physical addresses, and other personal information that could lead to identity theft and fraud.”
The settlement could potentially cost a total of $700 million given that the agreement mandates that Equifax implement a comprehensive information security program.
“I’m far from an Equifax apologist, but the truth is it could have been anyone. It’s not an excuse but rather the reality we live in. The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place,” said Adam Laub, CMO, STEALTHbits Technologies.
“And it’s got to be from the ground up too. There’s no silver bullet. There’s no one thing that mitigates the exposure. A multilayered, multifaceted approach is critical to making the juice not worth the squeeze for bad actors looking to score quickly and easily.”
One of the largest data breaches on record, the Equifax breach exposed the personal data of millions of people, much of which is likely still being used in account takeover (ATO) attacks, which is one reason Colin Bastable, CEO, Lucy Security, said, “We need a consumer compensation fund, into which all of these fines are paid, for disbursement to long-abused US consumers. And maybe we could rein in the credit reporting industry – if they did not collect and sell our personal financial data, we would not be in this mess.”
A former government contractor has been sentenced to nine years behind bars after stealing as much as 50TB of sensitive information over two decades.
Harald Martin III, 54, of Glen Burnie, Maryland, pleaded guilty to all charges – having previously denied them – back in March.
From December 1993 to August 27, 2016, he was employed by at least seven different defense contractors including Edward Snowden’s former employer, Booz Allen Hamilton.
He worked at the NSA and a number of other government agencies, holding security clearances up to Top Secret and Sensitive Compartmented Information (SCI) at various times.
For a period of over 20 years, Martin has admitted stealing and keeping documents relating to national defense: both hard copies and digital, and including Top Secret and SCI information.
“As detailed in his plea agreement, Martin retained the stolen documents and other classified information at his residence and in his vehicle. Martin knew that the hard copy and digital documents stolen from his workplace contained classified information that related to the national defense and that he was never authorized to retain these documents at his residence or in his vehicle,” a DoJ statement noted.
“Martin admitted that he also knew that the unauthorized removal of these materials risked their disclosure, which would be damaging to the national security of the United States and highly useful to its adversaries.”
The big question is why Martin stole the documents. His defense team claimed it was only so that he could bone up on work at home to get better at his job. He was linked in some news reports to major leaks of sensitive government information by WikiLeaks and Shadow Brokers, although never charged.
Martin’s nine-year sentence will be followed by three years of supervised release.
Scores of US colleges and universities have been compromised after hackers exploited a vulnerability in popular ERP software, according to the Department of Education.
The government revealed the campaign in an alert last week, explaining that the flaw in question exists in the Ellucian Banner Web Tailor versions 8.8.3, 8.8.4, and 8.9, and Banner Enterprise Identity Services versions 8.3, 8.3.1, 8.3.2, and 8.4.
The former is a module of the Ellucian Banner ERP platform which allows organizations to customize their web apps. The latter is employed to manage user accounts.
The vulnerability in question, CVE-2019-8978, is an “improper authentication” flaw which has a CVSS 3.0 score of 8.1 (high) and could allow attackers to remotely access user accounts.
“This vulnerability allows remote attackers to steal a victim's session (and cause a denial of service) by repeatedly requesting the initial Banner Web Tailor main page with the IDMSESSID cookie set to the victim's UDCID, which in the case tested is the institutional ID,” noted a NIST advisory. “During a login attempt by a victim, the attacker can leverage the race condition and will be issued the SESSID that was meant for this victim.”
The education department has now identified 62 colleges that have been affected by the flaw, after revealing that it spotted cyber-criminal actively scanning for organizations that had yet to patch.
“Victimized institutions have indicated that the attackers exploit the vulnerability and then leverage scripts in the admissions or enrolment section of the affected Banner system to create multiple student accounts,” the notice explained.
“It has been reported that at least 600 fake or fraudulent student accounts were created within a 24-hour period, with the activity continuing over multiple days resulting in the creation of thousands of fake student accounts. Some of these accounts appear to be leveraged almost immediately for criminal activity.”
It's unclear exactly what criminal activity was afoot, although the notice warned that because Banner “affects or influences all aspects of academic administration,” the vulnerability could put financial aid data at risk.
Russia’s fearsome intelligence agency the FSB has been trying to decrypt Tor traffic since 2012, according to new reports stemming from a major breach of a Russian defense contractor.
The firm in question, SyTech, was revealed to be working on several projects. It was breached by a group known as 0v1ru$, which defaced its website and stole 7.5TB of data from its servers – amounting to one of the worst such incidents of its kind in Russia.
The information, which includes details on several projects and the managers in charge of each, was passed on to another hacking group, Digital Revolution, who in turn passed it to reporters. Digital Revolution is said previously to have hacked the Kvant Research Institute, also run by the FSB.
Although no state secrets are said to have been exposed, the revelations are highly embarrassing for the Kremlin, and President Putin.
One project, Nautilus-S, describes an attempted de-anonymization of the Tor network, which began back in 2012.
Another version of the Nautilus project details an attempt to collect information on social media users, while one known as “Mentor” targets email communications sent by Russian enterprises.
Two more projects, Hope and Tax-3, are related to attempts by the Putin regime to split the internet in the country from the global web.
The plan was approved by the Russian parliament in April. Although it was billed as an attempt to reduce national security risk by pre-empting an online attack by foreign powers, it could also lay the foundations for a China-style great firewall, some have argued.
The latest revelations from SyTech show those plans are well along. Tax-3 will create an intranet for the storage of information on important state figures, while Hope is all about mapping the Russian internet and its connections to other countries.
Other projects revealed in the raid include ones targeting IM, file transfer services and P2P networks. They have apparently been ongoing since 2009 and linked to the FSB unit 71330.
Slack explained that it reset account passwords for 1% of its users. Any users who created their account before March 2015 and haven't since changed their passwords and do not use single sign-on (SSO) will likely have their passwords reset by the company.
“We were recently contacted through our bug bounty program with information about potentially compromised Slack credentials. These types of reports are fairly routine and usually the result of malware or password reuse between services, which we believed to be the case here,” Slack wrote.
Recognizing – and apologizing for – the potential inconvenience, Slack explained, “Today we are resetting passwords for all accounts that were active at the time of the 2015 incident, with the exception of accounts that use SSO or with passwords changed after March 2015. We have no reason to believe that any of these accounts were compromised, but we believe that this precaution is worth any inconvenience the reset may cause.”
The announcement highlights the continued need to educate consumers about proper security hygiene, according to Terence Jackson, chief information security officer at Thycotic.
“We cannot control the situation in which our data will be breached, but what we can do is limit the fallout when it happens. These credentials that were exposed in 2015 are still surfacing. Once the data is out there, it’s out there. Using a password manager to prevent password reuse and enabling multi-factor authentication on all accounts that support it are good first steps to protect your digital identities.”
Because of the high frequency of data breaches, Shahrokh Shahidzadeh, CEO at Acceptto, said we all must operate under the assumption that it’s only a matter of time before we truly understand that all of our credentials and personal information are already compromised.
For that reason, “The reliance on binary authentication methods, such as passwords independent of their length, or even mixing it with two-factor and multi-factor authentication solutions that are susceptible to phishing attacks, is a recipe for failure and a matter of when, not if. In light of recent developments, the only safe credential is one that is immutable and that can only be bio-behavioral-based,” Shahidzadeh said.
Over one-third of global finance chief information officers (CIOs) acknowledge organizations experienced an outage in the last six months, according to a new study from Venafi, the leading provider of machine identity protection.
The study queried more than 100 CIOs in the financial services industry from the U.S., U.K., France, Germany and Australia and found that financial services organizations are more likely to have digital certificate-related outages than other industries.
Since January 2019, 36% of financial organizations suffered an outage that had some degree of impact on critical business applications or services. Despite the impact to business, participating CIOs reported that they are more concerned about the impact to customers from certificate-related outages, with 50% of CIOs admitting they fear damage to brand from an outage.
Survey participants also said these types of outages are only going to become more severe, according to the report. Approximately one-third (34%) said they are concerned about increasing interdependencies, which could make future outages even more painful.
Meanwhile, certificate use continues to skyrocket in the financial services industry with 82% of respondents expecting to see certificate usage in their organizations grow by at least 25% in the next five years. In addition, 56% of respondents projected a minimum growth rate of greater than 50%.
“Organizations from every sector struggle with certificate-related outages on critical infrastructure, but it’s clear that these issues are even more pronounced in the financial services industry,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, in the release.
“The entire sector is focused on trust, performance and reliability, so they can’t afford service interruptions. At the same time, the industry has been transformed by open banking initiatives. As a result, financial services organizations rely on machine identities to secure and protect a wide range of business-critical, machine-to-machine communication. Unfortunately, these critical security assets are often unmanaged and unprotected, even though they protect mobile applications, containerization initiatives and cloud architectures.”
Researchers explained that over the course of the past three months, the malware framework has been responsible for more than one billion fraudulent Google AdSense ad impressions.
The malware uses three separate stages of installation to deliver a malicious browser extension that performs fraudulent AdSense impressions and generates likes on YouTube videos. It also watches hidden Twitch streams.
The initial stage of the framework executes the installer, which either sets up a new browser or downloads a module that does so. “The installer sets itself up as a task related to Windows Update by creating an XML file on the local disk and executing it as a scheduled task (schtasks),” the July 18 blog post explained. It then checks to make sure the installer was successful.
The second component is the finder, “a module designed to steal browser logins and cookies, package them in .zip files, and send them to the attacker’s command-and-control infrastructure.” Finally, the patcher module sets up the browser extension.
The malware is generating revenue for its operators, who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers such as Google Chrome, Mozilla Firefox and Yandex’s browser, according to the research.
One of the groups using Magecart to steal customer card data from e-commerce sites is operating out of a war zone in eastern Ukraine, security experts have revealed.
The Malwarebytes Threat Intelligence Team described in a blog post how the location of Luhansk near the border with Russia is an “ideal breeding ground where criminals can operate with total impunity from law enforcement or actions from the security community.”
The researchers found usernames and passwords belonging to hundreds of e-commerce sites, indicating the scope of the campaign, as well as a PHP backdoor used in these attacks.
The so-called exfiltration gate, web servers set up to receive the stolen data, is also disguised as a Google domain. Along with the card details, the attackers are stealing names, addresses, emails, and phone numbers for possible use in follow-on phishing attacks, Malwarebytes claimed.
The hosting server is located in Luhansk, capital of an unrecognized state set up in 2014 by Russian-backed separatists and known as the Luhansk People's Republic. At the center of the war-torn Donbass region, bulletproof hosting services are “safe from the reach of European and American law enforcement,” according to the vendor.
“Choosing the ASN AS58271 ‘FOP Gubina Lubov Petrivna’ located in Luhansk is no coincidence for the Magecart group behind this skimmer. In fact, on the same ASN at 176.119.1[.]70 is also another skimmer (xn--google-analytcs-xpb[.]com) using an internationalized domain name (IDN) that ties back to that same exfiltration gate. In addition, that ASN is a hotspot for IDN-based phishing, in particular around cryptocurrency assets,” it explained.
“Due to the very nature of such hosts, takedown operations are difficult. It’s not simply a case of a provider turning a blind eye on shady operations, but rather it is the core of their business model.”
Microsoft has warned 10,000 customers that they’ve been targeted by nation state attacks over the past year, including hundreds of US political organizations, the firm revealed this week.
In a blog post to promote the firm’s new ElectionGuard secure voting system, corporate VP for customer security and trust, Tom Burt, revealed that the vast majority (84%) of state-sponsored attacks were targeted at Microsoft’s enterprise customers, with the remainder (16%) hitting consumers' personal email accounts.
The majority came from groups in Russia (Yttrium and Strontium), Iran (Homium and Mercury) and North Korea (Thallium).
“While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states continue to rely on cyber-attacks as a tool to gain intelligence, influence geopolitics or achieve other objectives,” said Burt.
However, a significant minority of attacks have been focused on democratic organizations. Officially launched last August, Microsoft’s AccountGuard tool has since alerted on 781 nation state attacks against “political campaigns, parties, and democracy-focused non-governmental organizations (NGOs).”
Although the tool is only available in 26 countries so far, the vast majority (95%) of political organizations targeted were in the US, which amounts to around 742.
“Many of the democracy-focused attacks we’ve seen recently target NGOs and think tanks, and reflect a pattern that we also observed in the early stages of some previous elections. In this pattern, a spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns, serve as a precursor to direct attacks on campaigns and election systems themselves. We saw such attacks in the US presidential election in 2016 and in the last French presidential election,” explained Burt.
“As we head into the 2020 elections, given both the broad reliance on cyber-attacks by nation states and the use of cyber-attacks to specifically target democratic processes, we anticipate that we will see attacks targeting US election systems, political campaigns or NGOs that work closely with campaigns.”
Over 805,000 computers around the world are still vulnerable to the critical Bluekeep vulnerability, which experts have warned could create a worm-like threat worse than WannaCry.
Security firm BitSight claimed that, as of July 2, 805,665 systems remained at risk, a decrease of just 17% from May 31.
“Assuming a simplistic average this represents an average decrease of 5,224 exposed vulnerable exposed systems per day. By consistently observing individual vulnerable systems that remain exposed to the Internet and then identifying when they’re patched, we can calculate that at minimum an average of 854 vulnerable systems per day are patched,” it explained.
“The difference between these two estimates may represent systems which no longer expose the service to the Internet today, or those that are changing IP addresses frequently.”
China and the US remain the countries with the largest number of exposed systems, despite both having reduced their exposure by the largest amount globally, 24% and 20% respectively.
The most responsive industries around the world have been Legal, which reduced affected systems by 33%, Non-profit/NGO (27%) and Aerospace/Defense (24%). However, the worst performers were Consumer Goods (5%), Utilities (10%), and Technology (12%).
BitSight also warned organizations to take a more proactive stance towards third parties that may be exposed via Bluekeep.
“There are multiple ways a system administrator may mitigate against this issue affecting an externally exposed system. The primary and most important of which is actually applying the patch to the affected system. In addition, the administrator or user may remove exposure of that system to the Internet by taking it offline or applying proper access control lists to those systems to limit access to them,” it added.
“It’s been two months since the patch has been made available by Microsoft and we’ve only observed a 17.18% decrease in the number of exposed vulnerable systems in the last month. It’s important for organizations to patch their systems to not only protect their own data and systems, but those of their third parties that they conduct business with.”
Bluekeep is an RCE flaw in Windows Remote Desktop Services (RDS) which could enable an attacker to take complete control of a machine. It affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 computers.
The vulnerability (CVE-2019-0708) is deemed particularly critical as it can infect and spread without user interaction. Working exploits have already been engineered by security researchers, and the concern is hackers could use it as a mechanism to spread cryptomining malware, banking trojans or other types of malware.
Evidence suggests that new versions of malware families are linked to the elusive Ke3chang group, along with a previously unreported backdoor, according to researchers at ESET.
The researchers have long been tracking the advanced persistent threat (APT) group and suspect that it operates out of China, according to today’s press release.
Named Okrum by ESET, the malware was first detected in late 2016 when it was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. However, researchers have seen multiple variations of the malware families and attributed the activity to the Ke3chang group.
“In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican,” the release stated.
“We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors,” said Zuzana Hromcova, the ESET researcher who made the discoveries.
The group has remained active in 2019. As recently as March, researchers “detected a new Ketrican sample that has evolved from the 2018 Ketrican backdoor. It affected the same targets as the backdoor from 2018,” according to the research.
“Okrum can impersonate a logged on user’s security context using a call to the ImpersonateLoggedOnUser API in order to gain administrator privileges.” It then automatically collects information about the infected computer, including computer name, user name, host IP address, primary DNS suffix value, OS version, build number, architecture, user agent string and locale info (language name, country name), the report added.