Info Security

Subscribe to Info Security  feed
Updated: 18 min 34 sec ago

Indian Bank Loses $13.5m in Global Attack

Thu, 08/16/2018 - 08:47
Indian Bank Loses $13.5m in Global Attack

An Indian bank has lost nearly 944m rupees ($13.5m) after hackers withdrew the funds from ATMs around the world and made other fraudulent SWIFT transfers.

Pune-headquartered Cosmos Bank claimed the attackers first stole customer information by installing malware on the firm’s ATM server, before conducting the globally co-ordinated withdrawals in 28 countries on August 11.

An alert from the FBI warned unnamed banks on Friday of an imminent “global Automated Teller Machine (ATM) cash-out scheme” but was unable to halt the sophisticated plot.

“Historic compromises have included small-to-medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities,” it noted. “The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.”

The self-styled “leading co-operative bank in India” was also hit by three unauthorized transfers via SWIFT to a Hong Kong company’s account worth 139m rupees ($2m).

The lender claimed that the hackers managed to bypass the main switching system used for debit card payments.

“During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system,” it said in a press release seen by Reuters.

The case will bring to mind a series of high-profile raids on financial institutions over the past few years, many of them involving the SWIFT interbank transfer network.

Tamil Nadu-headquartered City Union Bank was targeted in February, when an alleged international group of hackers tried to make $2m worth of illegal transfers, although they only succeeded in getting half of that.

The run of attacks on lenders began with a major $81m raid on Bangladesh Bank back in 2016 which was subsequently blamed on the infamous North Korea-linked Lazarus Group.

Categories: Cyber Risk News

What Drives Hackers to a Life of Cybercrime?

Wed, 08/15/2018 - 14:58
What Drives Hackers to a Life of Cybercrime?

It likely comes as no surprise that cyber-criminals are financially motivated, but according to new research, many nefarious actors in the cyber world are also driven to a life of digital crime by ego as well as socioeconomic and psychological factors.

As follow-up to the recent report Under the Hoodie: Lessons from a Season of Penetration Testing published by Rapid 7, Wendy Zamora, malware intelligence at Malwarebytes, set to work on a months-long research piece exploring the psychology, motivations and other underlying factors that drive people to cybercrime.

The results of her work were published today in the long-form article "Under the Hoodie: Why Money, Power, and Ego Drive Hackers to Cybercrime" which includes interviews with reformed and active cyber-criminals as well as research from forensic psychologists, law enforcement officials and professors of criminology.

Zamora's research reveals that the main motivations for cyber-criminals include socioeconomic factors, technical skill and psychological drivers such as revenge and ego. Throughout the article, she breaks down each factor to create a general cyber-criminal persona, pinpointing the various motivations to particular forms of cybercrime, such as social engineering and malware creation.

In reference to interviews with one of her subjects who became enamored by the ease with which he could earn money, Zamora writes, “What’s not to like? Money, popularity, and a quiet 'screw you' to the man. He was proud of his ability to hack into and modify programs built by professionals.”

The results of her research highlight the value of criminal profiling, a psychological assessment that looks at both personality and physical characteristics. Criminal profiles are not as useful in identifying the individual perpetrator as much as they are helpful in narrowing the field of suspects.  

Understanding what motivates cyber-criminals can also serve as a pathway to help them transition from cyber-criminals to white hat hackers. “There’s a razor thin line separating the white hats from the black,” Zamora describes.

“Cyber-criminals are equally passionate and skilled at what they do, but the lens through which they view the world may be blurred by socioeconomic circumstances or psychological hang-ups. There are those that may be beyond hope, but there are also those who are simply too young or too insecure to work a system that feels like it’s set up to watch them fail.”

Categories: Cyber Risk News

NSA Insider Teaches Next-Gen IT Strategies

Wed, 08/15/2018 - 14:18
NSA Insider Teaches Next-Gen IT Strategies

Given the cybersecurity threats that present risks to individuals, organizations and government entities around the globe, cybersecurity professionals need to know how to defend against current and emerging threats. The new book Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time, written by cybersecurity expert and NSA insider O. Sami Saydjari, offers insight into next-generation IT strategies and defenses.

Engineering Trustworthy Systems; Get Cybersecurity Design Right the First Time (McGraw-Hill, July 2018, 672 pages; Trade Paper, $60, ISBN: 978-1-260-11817-9).

Founder and president of Cyber Defense Agency, Saydjari is a cybersecurity thought leader with 35 years of experience who worked for the NSA, DARPA, DoD and NASA, and has consulted leaders on cybersecurity policy and written more than a dozen papers.

“I can think of no person better qualified to write this sorely needed tome. Sami is one of the leading conceptual innovators in the cybersecurity field with over three decades of experience in all aspects of cybersecurity engineering,” said Brian Snow, former National Security Agency, technical director.

“He is internationally recognized and trusted as a talented cybersecurity architect. His understanding of this complex topic is both expansively wide and impressively deep in many areas. Despite that, or perhaps because of it, he has a unique ability to communicate the most complex and subtle content in terms that are clear and easily understood.”

While underscoring the need for increased national investment in cybersecurity, Engineering Trustworthy Systems also defines all aspects of the cybersecurity problem. Practitioners will gain an understanding of how to move forward in solving emerging problems while also looking at the potential pitfalls that can get in the way of designing defenses against attacks.

“This book is for those vulnerable to cyberattacks, the very people who are dependent on information technology – businesses, government, legal, medical and academic sectors,” Saydjari said.

Former National Security Advisor to President Ronald Reagan, John M. Poindexter, PhD, VADM, USN(Ret), said, “This is the 'bible' for cybersecurity, which needs to be consulted as we struggle to solve this enormous threat to our national security.”

The book is intended to be an authoritative guide for crafting cutting-edge cybersecurity solutions to defend against even the most sophisticated attacks. “Much of the information in this book can be found nowhere else and represents the distilled experiences of over three decades of work as a cybersecurity researcher, architect and engineer,” said Saydjari. 

“The book carefully builds from the most foundational elements of cybersecurity to the most complex and nuanced topics that can make your performance in cybersecurity more effective, efficient and stronger.”

Categories: Cyber Risk News

Credential-Stealing Financial Trojan Targets Banks

Wed, 08/15/2018 - 13:46
Credential-Stealing Financial Trojan Targets Banks

Financial institutions have long been the target of cyberattack, and today researchers at Cyberbit announced they have discovered a new variant of Trickbot, a modular malware and well-known financial Trojan that targets customers of large banks and steals their credentials.

Since first discovered in 2016, new variants have emerged, updated with new tricks and modules. Researchers analyzed Trickbot’s most recent infection vector – a malicious Word document – that only executes its macro after a user has both clicked “enable content” and resized the window by zooming in and out of the document.

Upon a user performing both of these functions, the macros execute a PowerShell that downloads and executes the Trickbot. Researchers noted that the variant leverages a variety of new evasion techniques, including a stealthy code-injection technique that performs process hollowing used for unpacking – as was seen in older samples of the Trickbot. With this variant, the process hollowing is done using direct system calls. In addition, by calling long/short sleeps, the malware sleeps for anywhere from 11 to 30 second and avoids sandboxes.

Trickbot also leverages anti-research/analysis using encryptions and useless function calls and avoids detection by disabling and deleting the Windows defender service. Attackers can leverage these techniques to steal users’ credentials and access their bank accounts.  

“Organizations should be aware of this new trend to directly call functions via system calls. This technique bypasses security tool hooks and therefore most security products will not detect this threat,” wrote Hod Gavriel in today’s blog post.

This latest discovery is one of a few emerging threats that banks and their customers are facing. Recent research published by ESET and CERT.PL noted a technique used with the BackSwap banker malware whereby it hooks the Windows message loop events to look for banking activity. According to a 6 August post from Cyberbit, BackSwap also was able to hide its code in fraudulent copies of legitimate computer programs.

Categories: Cyber Risk News

Just 10% of UK Firms Have No Cyber Insurance

Wed, 08/15/2018 - 10:11
Just 10% of UK Firms Have No Cyber Insurance

UK companies appear to be forging ahead globally when it comes to take-up of cyber insurance, although relatively few have full coverage, according to a new report from Ovum.

Predictive analytics firm FICO commissioned the industry analyst to poll 500 senior executives, mainly from IT, across 11 countries: the UK, US, Canada, Brazil, Mexico, Germany, India, Finland, Norway, Sweden and South Africa.

It found that 90% of UK firms have some form of insurance in place to mitigate the risk of cyber-threats, compared to an average of 76% in all countries surveyed.

Telecoms firms (17%) were most likely to have no insurance, compared to just 5% of financial services firms.

The figures overall are significantly better than last year’s findings, which revealed that just 69% of UK firms reported having cybersecurity insurance.

However, there’s clearly some way to go for the industry: just 38% of UK organizations claimed to have cybersecurity insurance covering all risks.

“Although UK organizations perform well in terms of the uptake of cyber insurance, the fact that fewer than 40% have comprehensive insurance demonstrates there is still some way to go for these firms to have a broad view of their security posture and how to present it for insurance,” said Maxine Holt, research director at Ovum.

“It could also show that these companies have a current security posture that insurers are not prepared to cover comprehensively. We should not detract from the positive news here; 90% of UK organizations have elevated the importance of cybersecurity to a level that requires insuring, even if only partially.”

Cyber insurance is widely regarded as a positive trend for the industry as long as it’s not regarded as a silver bullet. As most policies first require a baseline level of good security practice, it’s thought that the expansion of coverage will drive improvements in this area.

Categories: Cyber Risk News

Microsoft Fixes 60 Flaws Including Two Zero-Days

Wed, 08/15/2018 - 10:01
Microsoft Fixes 60 Flaws Including Two Zero-Days

Microsoft has fixed 60 vulnerabilities this monthly update round, including two zero-days and patches for the newly disclosed Intel L1TF bugs.

August Patch Tuesday saw updates to fix two zero-days already publicly disclosed and being exploited in the wild. These should be the top priorities for admins this month, according to Ivanti director of product management, security, Chris Goettl.

“CVE-2018-8373 is a vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. Exploitation could result in remote code execution and grants the same privileges as the logged-in user including administrative rights. Because this vulnerability exists in IE 9, 10, and 11, it affects all Windows operating systems from Server 2008 to Windows 10,” he explained.

“The second zero-day vulnerability, CVE-2018-8414, is a code execution vulnerability that exists when the Windows Shell does not properly validate file paths. Exploitation can also result in remote code execution with the privileges of the logged-in user. This vulnerability is not as widespread, existing on only Windows 10 1703 and newer, Server 1709 and Server 1803.”

Microsoft also published an advisory covering the newly disclosed Spectre/Meltdown-like L1TF vulnerabilities. The Redmond giant has released several updates to help mitigate them, but warned that users of VBS or versions of Hyper-V prior to Windows Server 2016 may need to disable Hyper-Threading, which could cause performance degradation.

Elsewhere, Qualys director of product management, Jimmy Graham, urged admins to prioritize browser and scripting engine patches for “workstation-type devices,” especially a fix for CVE-2018-8373.

He also pointed to CVE-2018-8345 for workstations and servers, Exchange flaw CVE-2018-8302, and Microsoft SQL RCE vulnerability CVE-2018-8273 as ones to address urgently.

Not to be outdone, Adobe released more updates on Tuesday, including fixes for five Flash Player updates and two new critical flaws in Reader and Acrobat, to follow the 100 announced last month.

Categories: Cyber Risk News

Intel Reveals Three High Severity Memory Flaws

Wed, 08/15/2018 - 09:04
Intel Reveals Three High Severity Memory Flaws

Intel has revealed details of a new set of Spectre-like vulnerabilities in its Core and Xeon processors which could allow malicious attackers to steal highly sensitive information from memory on PCs or in clouds.

The flaws were found in the chip giant’s Software Guard Extensions (SGX) technology, System Management Mode (SMM) and x86 virtual machines.

Together these speculative execution side-channel flaws have been labelled L1 Terminal Fault (L1TF) bugs because they target access to a chip’s L1 data cache.  

The first, CVE-2018-3615, has been dubbed “Foreshadow” by the researchers that discovered it. It affects the supposedly secure enclave of SGX, to allow “unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local-user access via side-channel analysis.” It can apparently be fixed by applying Intel’s Q2 microcode update.

The second flaw, which Intel discovered, (CVE-2018-3620) affects SMM and OS kernels and allows “unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.” Applying the aforementioned microcode and OS kernel patches is required.

Finally, CVE-2018-3646, also found by Intel, affects hypervisors and VMs. Chips that use speculative execution and address translations “may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis." It would therefore make it feasible for guest VMs on a cloud platform to steal info from other VMs.

Admins will need to apply the microcode, as well as OS and hypervisor updates.

The good news is that there are no reports of the flaws being used in real world exploits, new Cascade Lake chips are being produced to mitigate the vulnerabilities and patches are being released by Intel and industry partners.

“As long as users install the update, they’ll be fine. And in fact, the vast majority of PC owners don’t use SGX, so it’s not likely to become a major problem right now,” said Foreshadow report author Thomas Wenisch, of the SGX flaw. “The real danger lies in the future, if SGX becomes more popular and there are still large numbers of machines that haven’t been updated. That’s why this update is so important.”

Categories: Cyber Risk News

For Google, No Tracking Means We Still Track You

Tue, 08/14/2018 - 17:12
For Google, No Tracking Means We Still Track You

Google is so intrigued by the places users go that it continues to track their locations even after users turn off the Location History, according to findings from a recent AP investigation conducted by computer-science researchers at Princeton.

For a global conglomerate like Google, "no" doesn’t necessarily mean "no" when it comes to tracking user locations. Users do have the option to adjust their privacy settings so that location information is turned off or only on while an app like Google Maps is in use. However, when Gunes Acar, a privacy researcher at Princeton, turned off his Location History and took to the road to verify that he was not being tracked, he discovered that the privacy settings were ineffective.

The results of what the location data collected over the course of three days was compiled in a map and included “Acar’s train commute on two trips to New York and visits to The High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem,” according to AP.

Users have long been suspicious about actually being able to shut off Google’s location services. As it turns out, those suspicions were warranted. Acar confirmed that his travels were indeed tracked and stored, even without his consent.

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web and App Activity and through device-level Location Services,” a Google spokesperson said in a statement to the AP. “We provide clear descriptions of these tools and robust controls so people can turn them on or off, and delete their histories at any time.”

The report raises several different privacy questions, particularly when it comes to user consent of data collection. “When it comes to information privacy, we need to start asking a different set of questions, such as: What data may legitimately be collected? What are legitimate uses for data that is collected?” said Todd Shollenbarger, chief global strategist, Veridium.

Categories: Cyber Risk News

Stopping Russian Attacks on Candidate Websites

Tue, 08/14/2018 - 16:13
Stopping Russian Attacks on Candidate Websites

As the midterm elections grow closer, concerns for voting security continue to mount, particularly in light of research unveiled after this year’s Def Con security conference, which found that the websites of nearly one-third of the US House candidates are vulnerable to attack.

Independent researchers unveiled the alarming security problems that exist in the websites of three in every 10 candidates - both Republican and Democrat - running for the US House of Representatives, according to news from Reuters.

Under the leadership of former National Institutes for Standards and Technology (NIST) security expert Joshua Franklin, a team of four independent researchers used automated scans to test the websites of candidates on both sides of the aisle and reportedly found multiple vulnerabilities. Franklin told Reuters that the team is trying to contact all the candidates so that they can fix the problems.

Earlier this month, the ever-present threats from cyber-criminals became a reality for Tabitha Isner, the Democratic candidate running in Alabama's second congressional district, who alleged Russians attempted to hack her campaign website. Just this week Sen. Bill Nelson (D-Fla.) said that Russians penetrated voter registration systems in Florida.  

As candidates struggle to shore up their websites, vendors in the cybersecurity space are moving forward in the development of new technologies to help candidates running for office.

Thycotic announced today that it has released a free Cybersecurity Election Protection Toolkit to help campaigns for federal, state and local elected offices prevent attacks on their credentials/passwords amid recent cyber-threats by Russian hackers and other cyber-criminals.

The toolkit includes links to additional free online tools, such as Password Strength Checker and Strong Password Generator, which is available to any organization looking to protect its critical data assets.

“With many in the U.S. House of Representatives and the Senate up for reelection in November, along with a host of newcomers on the political scene, our goal in offering this Election Protection Toolkit is to help ensure the integrity of our midterm elections,” said Steve Kahan, chief marketing officer at Thycotic.

Categories: Cyber Risk News

Hackers Target Instagram, Users Blame Russia

Tue, 08/14/2018 - 16:05
Hackers Target Instagram, Users Blame Russia

The Facebook-owned photo-sharing application Instagram has reportedly fallen victim to an attack, which appears to have originated in Russia, according to news from The Sun. Both Mashable and Reddit have reported a surge in the use of the word "hack" in tweets related to Instagram accounts. Additionally, Google Trends shows that a significant jump in searches for "Instagram hacked" occurred 7-11 August.

A tweet storm continues to thrash on Twitter, resulting in a social media meltdown that's revealing widespread user frustrations over the lack of response from Instagram.

One user tweeted, “your help center is so unhelpful. How an i supposed to gain access to my hacked account if all you want to do is send an email asking me to reset my password and that email has been changed to theirs???”

Flurry of tweets

One user advised Instagram users to immediately activate two-factor authentication. "I very much doubt 2FA was in use in the hacked accounts, so switching on 2FA will certainly prevent this type of attack,” said Andy Norton, director of threat intelligence at Lastline.

However, there have been anecdotal reports that some accounts were using the layered protection of 2FA.

“Although this is an excellent security control and should always be used, it's not foolproof and can be defeated if someone is either able to take control of the mobile phone number that receives the text message code or if they can trick the account holder into visiting a fake version of the real website that interacts with the real website and prompts the user to enter the two-factor code,” said Rob Shapland, principal cybersecurity consultant at Falanx Group.

While the account takeovers all seem to be linking to Russian email addresses and could indicate an attack from a Russian hacking group, it remains possible that another group is pretending to be Russian.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion. Email addresses are easily spoofed, either to conceal identity or to encourage finger-pointing toward the wrong place," said Lee Munson, security researcher at

Categories: Cyber Risk News

Mobile App-Based Fraud Jumps in Q2

Tue, 08/14/2018 - 10:45
Mobile App-Based Fraud Jumps in Q2

RSA Security has said it recovered over five million compromised cards from underground marketplaces and other sources in the last quarter, a 60% increase on the previous three months.

The security vendor’s Quarterly Fraud Report for Q2 2018 also revealed that the threats facing consumers and brands have evolved slightly, with mobile playing a greater role.

While phishing emails, texts (smishing) and phone calls (vishing) remained the most prolific type of fraud attack in the period, accounting for 41% of the total, trojan malware and rogue apps swapped places.

Attacks involving financial malware dropped from 25% in the previous quarter to 16% in Q2, while the number of rogue mobile apps RSA detected jumped 13% to reach 9185: 28% of the total number of observed attacks.

These apps typically abuse consumer trust in brands by faking well-known apps to harvest information.

In addition, mobile app and mobile browser transactions comprised 71% of total fraud transactions, up 9% from Q1 2018. Fraudulent transactions via mobile channels increased 16% year-on-year.

RSA also revealed the growing popularity of new account fraud.

Just 0.4% of legitimate payment transactions were attempted from a new account and device. This is in stark contrast to the 27% of the total value of fraudulent payments made through new accounts and devices in the period.

RSA claimed fraudsters continue to use burner devices and fake accounts to try and circumvent fraud filters.

What’s more, 28% of fraud originates from a known or trusted account and device, suggesting these devices have been infected with financial malware designed to carry out account takeover attacks.

The figures come as new stats from Compare the Market out this week revealed UK cyber-enabled fraud losses soared past £2bn last year, with the amount stolen rising 38% over the period, from £600 per person to £833.

Categories: Cyber Risk News

Fax Attack: Researchers Warn of New Vector for Hackers

Tue, 08/14/2018 - 10:01
Fax Attack: Researchers Warn of New Vector for Hackers

Security researchers have been able to exploit vulnerabilities on all-in-one printers by sending a malicious fax, enabling then to infiltrate corporate networks.

The vulnerabilities were discovered by Check Point in a common implementation of the fax protocol, using HP Officejet all-in-one printers. HP has since released a patch after working with the security firm, but the issue could persist on other machines.

Check Point claimed that the issue is critical given that faxes are still widely in use: a cursory internet search apparently yielded hundreds of millions of numbers.

The attack could enable hackers to infiltrate corporate networks or use the connected printer to remotely steal sensitive documents, mine Bitcoin or carry out other nefarious tasks.

“Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer,” the vendor claimed.

“We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.”

The research team revealed two vulnerabilities discovered in the course of the research: CVE-2018-5925 – buffer-overflow while parsing COM markers – and CVE-2018-5924 – stack-based buffer-overflow while parsing DHT markers.

The white hats used the latter in their actual attack as it was easier to exploit. Infamous NSA exploits Eternal Blue and Double Pulsar were then used to autonomously spread the payload over a connected network.

However, not everyone was convinced about the seriousness of the implications. ThinkMarble Red Team leader, Tom B, claimed that there are several barriers for malicious attackers.

“First of all, receiving a fax is essentially like receiving a telephone call — they are generally traceable. Furthermore, phone calls also cost money. Phoning millions of fax machines to find a vulnerable model is expensive, and this will dissuade the common cyber-criminal,” he explained.

“Even where cost and traceability are not an issue, faxes take a relatively long time to come through. Sending a malicious fax to millions of fax machines with the hope of finding a vulnerable model, would take a very long time.”

Even in a highly targeted attack the attacker would first need the model number of a machine and details of a working exploit to succeed.

“Once crafted, there would be no guarantees that the payload would not simply crash the device instead of executing the code,” he argued.

The best way to keep fax machines and printers secure is to ensure they’re regularly patched and updated, he concluded.

Categories: Cyber Risk News

NHS Patient Data at Risk from Historic Breach: Report

Tue, 08/14/2018 - 09:09
NHS Patient Data at Risk from Historic Breach: Report

A historic breach at a third-party supplier has put the data of countless NHS patients at risk, according to a new report.

An investigation by the Sunday Telegraph revealed a 2016 breach at online training business Embrace Learning exposed the email addresses and unencrypted passwords of 10,000 public sector healthcare workers.

The risk is that if these affected workers reused their Embrace Learning credentials for their NHS accounts, hackers could theoretically have used them to break into networks in search of lucrative patient data.

Some 19 NHS trusts and organizations including local councils were affected, none of which were aware of the breach when contacted by the paper.

A statement from the distance learning company confirmed the historic breach and claimed there had been “no successful attacks on our servers since new measures were implemented in 2016.” However, that doesn’t cover the possibility of other organizations being affected by the password theft.

“On reflection, our security measures at that time were clearly not sophisticated enough to prevent data being stolen,” it noted.

“The breach prompted immediate action. In consultation with our ISP UKFast, we significantly increased the level and sophistication of security and encryption. Since then we have taken further measures to protect data from increasingly sophisticated hacking attempts.”

The hope is that the trusts affected operate a policy of regularly enforcing password changes, or else require 2FA for log-ins, both of which would largely mitigate the threat.

Cumbria Partnership NHS Foundation Trust, which had passwords stolen from 200 employees, told the paper it has contacted each member of staff affected.

“As a trust we take data security very seriously and as such all staff are forced to change their passwords regularly therefore we are confident that our staff details remain safe,” it said. “We have robust policies and processes in place and regularly update our staff of the importance of all types of cybersecurity.”

Jamie Graves, CEO of ZoneFox, said the case highlights the complexity and cyber-risks involved in modern supply chains.

“Robust company-wide education programs are vital for safeguarding confidential data,” he added. “What's more, robust password managers are a must for anyone, not least our front-line NHS staff whose life-saving work inevitably entails access to sensitive patient data."

Categories: Cyber Risk News

Variant of KeyPass Trojan Takes Manual Control

Mon, 08/13/2018 - 17:28
Variant of KeyPass Trojan Takes Manual Control

Multiple researchers have identified a dangerous new variant of KeyPass ransomware, featuring a manual-control functionality, and according to Kaspersky Lab, the modified version mainly targets developing countries.

“For now, the most targeted regions are mainly developing countries – the modification primarily targets Brazil (19.51%) and Vietnam (14.63%). As the malware continues to spread worldwide via fake installers that download the ransomware module, experts have noticed a distinguishing feature: it can be used for manual attacks,” a Kaspersky Lab spokesperson wrote.

When the Trojan starts on the victim’s computer, it copies its executable to %LocalAppData%. After the executable launches, the malware then deletes itself from the original location but propagates multiple copies of its own process, “passing the encryption key and victim ID as command line arguments,” researchers wrote in a blog post.

The malware reportedly uses a simple scheme to encrypt data at the beginning of each file. Designed by the Trojan’s developers, the symmetric algorithm AES-256 is in CipherFeedback (CFB) mode with zero IV and the same 32-byte key for all files.

Source: Kaspersky Lab

The MalwareHunter Team said that the variant, noticed during the late evening hours on 8 August, received 100 submissions to IDR from more than 20 countries, adding that the KeyPass Ransomware, “is spreading all over the world.”

Kaspersky Lab researchers took particular interest in the KeyPass Trojan’s ability to take manual control. Researchers wrote, “The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks."

“The capability to perform manual control is truly worrisome since it provides criminals behind the Trojan an opportunity to customize the malware. It might be an indication that the era of mass-scale extortions is gone and now we might be facing a growing trend of individually targeted ransomware attacks,” said Fedor Sinitsyn, security researcher, Kaspersky Lab.

Categories: Cyber Risk News

More Than 10K Recorded Vulnerabilities in 2018

Mon, 08/13/2018 - 16:45
More Than 10K Recorded Vulnerabilities in 2018

The number of recorded vulnerability disclosures continues to rise, with 10,644 published throughout the first half of 2018 by Risk Based Security’s VulnDB team. That total is reportedly 3,279 more vulnerabilities than those listed on CVE/NVD, according to the 2018 Mid-Year VulnDB QuickView Report

The numbers reflect only a 1% increase over the same period last year. Of those discovered in the first six months of 2018, 73% of vulnerabilities have a documented solution, while only 32.1% have public exploits; however, 50% of the vulnerabilities can be exploited remotely.

Of the vulnerabilities disclosed, 16.6% scored 9.0 or higher on the CVBSSv2 scale. Nearly half (48.2%) of the vulnerabilities were disclosed through coordinated disclosure, yet only 13.1% of those coordinated disclosures were through bug bounty programs.

“An important and compelling statistic is that of the 3,279 vulnerabilities not reported by CVE/NVD, 44.2% have CVSSv2 scores between 9.0 and 10 (high to critical severity). While criteria other than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organization is not aware of higher-severity vulnerabilities that pose a risk to their assets,” said Carsten Eiram, chief research officer for Risk Based Security.

“We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government–funded organization’s continued underrepresentation of identifiable vulnerabilities,” said Brian Martin, VP of vulnerability intelligence for Risk Based Security.

“While some contend that the CVE/NVD solution is ‘good enough,’ the number of data breaches based on hacking points to a different conclusion. In today's hostile computing environment, with nonstop attacks from around the world, organizations using subpar vulnerability intelligence are taking on significant risk needlessly.”

Categories: Cyber Risk News

Firms at Mercy of Smarter, Faster Cyber-Criminals

Mon, 08/13/2018 - 15:57
Firms at Mercy of Smarter, Faster Cyber-Criminals

With more than 100,000 vulnerabilities published on the CVE list, organizations are struggling to keep pace with patching, leaving almost all firms vulnerable to attack, according to the new Threat Landscape Report released by Fortinet.

In today’s blog post, Fortinet researchers wrote that despite the vast number of known vulnerabilities, only 5.7% of those on the CVE list are being exploited in the wild, suggesting that trying to patch every vulnerability might be a fruitless endeavor for organizations.

Still, nearly all firms (96%) have experienced at least one severe exploit, and a quarter of companies were hit with crypto-mining malware. While the research did not find any new developments related to Apache Struts and Heartbleed during Q2, the report found that Microsoft was the number-one exploit target.

Of additional note was the finding that criminals are now using crypto-jacking on internet of things (IoT) home devices. Cyber-criminals have added IoT devices to their repertoires, often targeting home media devices because of their computational horsepower. The devices are always on and connected, so criminals target them and load continuously mining malware.

“Cyber-adversaries are relentless. Increasingly, they are automating their tool sets and creating variations of known exploits. Of late, they are also more precise in their targeting, relying less on blanket attempts to find exploitable victims,” said Phil Quade, CISO, Fortinet in a press release.

Analysis of data on botnet trends revealed how cyber-criminals maximized impact, as was the case with Wicked, a new Mirai botnet variant, which added at least three exploits to its arsenal to target unpatched IoT devices.

In addition to the threats on critical infrastructure attacks using VPNFilter, Q2 also saw a new Anubis variant from the Bankbot family, capable of performing ransomware, keylogger, RAT functions, SMS interception, lock screen and call forwarding.

Malware authors have moved beyond polymorphism as a means of evading detection, and the report found that they have developed more agile practices that make it easier for them to bypass anti-malware products.

“Organizations should leverage automated and integrated defenses to address the problems of speed and scale, utilize high-performance behavior-based detection, and rely on AI-informed threat intelligence insights to focus their efforts on patching vulnerabilities that matter,” Quade said.

Categories: Cyber Risk News

IT Security Pros Lay Bare Election Hacking Fears

Mon, 08/13/2018 - 12:01
IT Security Pros Lay Bare Election Hacking Fears

The vast majority of IT security professionals believe election infrastructure is at risk and that attackers will target voting data in transit, according to the latest stats from Venafi.

The security vendor polled over 400 cybersecurity pros in the US, UK and Australia about their views on the subject, ahead of key mid-term elections in the US in November. Intelligence on Russian state-sponsored interference in the 2016 presidential election found that hackers used encrypted tunnels to hide their attacks on vulnerabilities in election infrastructure.

IT security pros appear well-informed of the threats, with 93% claiming election infrastructure is at risk and 81% saying hackers will target key data as it is transmitted from local polling stations to centralized points. 

Part of the challenge of securing electoral infrastructure is that it tends to be spread out: over half of respondents pointed not only to encrypted comms channels but also the voting machines themselves and the systems that store voter registration data as being vulnerable.

Tellingly, just a handful claimed confidence in the ability of governments and local states to detect (2%) and block (3%) such attacks.

Kevin Bocek, VP of security strategy and threat intelligence at Venafi, told Infosecurity that following the indictment of 12 Russian agents for the 2016 attacks, election hacking is no longer a theoretical threat.

“The intent of adversaries is to sow distrust in democracy and Western governments. A hack does not need to change an election directly; merely creating doubts about the integrity of our election infrastructure and processes achieves the goal,” he added.

“This research shows how IT professionals are keenly aware of these risks and all the ways that election hacking can be done: whether it’s going after the back-end systems that store the results, or editing the voter rolls before the big day. For example, a careful purging of the voter rolls could easily tip the balance one way or the other without an attacker actually changing a single vote.”

Bocek claimed a return to paper voting is too time-consuming and prone to error to be feasible.

“These are the actions our adversaries would love to see as it would show that we’ve lost confidence in technology and democracy,” he concluded.

“The real solution is ensuring that we have systems in place which allow us to actually trust the machines we’re using and run the voting process, and therefore the democratic process as a whole.”

Governments around the world must therefore focus on improving the security of encrypted machine-to-machine communications, the firm claimed.

Categories: Cyber Risk News

Butlin’s Customers Face Anxious Holiday After Breach Alert

Mon, 08/13/2018 - 09:30
Butlin’s Customers Face Anxious Holiday After Breach Alert

Tens of thousands of holidaymakers may be at a heightened risk from phishing attacks after Butlin’s admitted a data breach affecting customers’ personal information.  

The holiday camp owner published a notice late last week revealing that up to 34,000 booking reference numbers, lead guest names, holiday arrival dates, postal and email addresses and telephone numbers may have been breached.

Managing director, Dermot King, claimed that affected guests would be contacted by the end of Monday 13 August. Payment details and username/password combinations are safe and there has been no sign of fraudulent activity thus far on the stolen data, he added.

The firm blamed “a phishing attack via an unauthorized email” for the incident and said it had since “improved a number of our security processes.” However, it’s difficult to counter the threat posed by phishing emails as they rely fundamentally on tricking the employee rather than their machine.

That’s why 93% of breaches last year involved some form of phishing, according to Verizon.

McAfee chief scientist, Raj Samani, argued that not only will Butlin’s customers be at risk from follow-on phishing attacks using the stolen information to appear more convincing, but because the hackers have access to info on holiday arrival dates, their houses may be at risk from burglars.

“Recent McAfee research reveals a third of people rely on the same three passwords for every account they’re signed up to. If you use the same password across a number of apps and accounts you need to change it now,” he cautioned. “Introduce a password generator to ensure you have unique passwords across all accounts. And for holidaymakers’ home security, they should ensure they have a trusted neighbor keeping an eye on the property while away and alarms set.”

Unlike Reddit, Butlin’s reported the incident within 72-hours and has proactively notified all affected customers, so it should escape the wrath of GDPR investigators.

Categories: Cyber Risk News

UK Online Fraud Blasts Past £2bn

Mon, 08/13/2018 - 08:57
UK Online Fraud Blasts Past £2bn

Cyber-enabled fraud losses have rocketed over the past 12 months with more than £2bn collectively stolen from the bank accounts of UK cardholders, according to Compare the Market.

The price comparison site’s poll of 2000 UK adults revealed that 9% had been defrauded over the past year, which roughly equates to 4.7 million people nationwide.

The figure is significantly less than the 5.5 million estimated to have lost money between May 2016 and May 2017. However, the amount stolen has risen 38% over the period, from £600 per person to £833.

The most common form of fraud was via online payments (28%), although 27% said they don’t know or can’t remember how they were defrauded.

Over half (56%) of respondents said they were also concerned about the security of card details saved in the browser. The autofill function is increasingly popular with consumers, with 31% of respondents claiming to use it. However, last year it emerged that it could be abused by fraudsters to harvest credentials if users are tricked by specially crafted phishing sites.

Of potentially even greater concern is the stat that 44% of respondents interviewed by Compare the Market claimed they had to alert their bank about fraudulent activity, not the other way round.

Despite this, 79% said they haven’t changed bank or credit card provider after experiencing an online attack and are not considering changing. This may reflect the perception that fraud is inevitable irrespective of provider.

“It is reassuring to see that some behavior is changing as a result of fraud. People are more likely to check their bank and credit card accounts regularly, and to have different passwords and PINs for their various accounts, and most now won’t give out their bank details over the phone,” said head of money at Compare the Money, Shakila Hashmi.

“All of these measures need to be ramped up in order for people to lessen the chance of being hacked. However, if a provider has not spotted suspicious activity or has not dealt with a fraud to the best of their ability then it is vital that people vote with their feet and move to suppliers with a better client service rating.”

The figures contrast separate findings from FICO last month which claimed card-not-present (CNP) fraud losses in the UK had dropped 8% over the past year, despite rising 2% across Europe.

Categories: Cyber Risk News

#DEFCON Government Attacks and Surveillance Continue to Increase

Sat, 08/11/2018 - 22:19
#DEFCON Government Attacks and Surveillance Continue to Increase

Speaking at DEFCON to deliver research on “a comprehensive list of Nation-State Big Brothers,” security researcher Eduardo Lzycki said that there had been an increased number of governments both censoring and shutting down online services, as well as acquiring cyber espionage and offensive tools.

Saying that the internet was something that “people gathered around as a common idea without a top down authority,” his research – done with colleague Rodrigo Colli – found that the “most active actor in cyber space is states doing things – attacking – and [conducting] attacks against other states and other groups.”

Drawing from five sources: academia and NGOs, data leaks, censorship and transparency reports, Lzycki said that what they had seen showed that 55% of attacks had some sort of state-sponsored level of attribution, from 402 single APT groups, which includes 19 countries with “a state sponsored threat.” Showing the map below, Lzycki said that that it was interesting to see how diffused the number of actors were.

“When you look at the types of targets, it is interesting to notice that in 46 cases we had political targets: opposition parties, NGOs, and in the first place ahead of military and diplomatic targets was evidence that attacks were directed to political targets.”

The research further showed that 71 countries acquired offensive solutions, and Lzycki and Colli were able to identify the user or buyer in 41 cases, which they said was typically military and defense.

Speaking on the research around censorship and government shutdowns of social media, Lzycki said that they detected 40 countries who had an examples of censorships, and 74% of which (32 countries) where a shutdown reached the national level.

He said that 54.9% of people live in countries which have been attacked, and 56.7% of users were subject to shutdowns. Also, 92.2% of countries have some sort of offensive capability.

Categories: Cyber Risk News