Feed aggregator

NutriBullet Experiences Multiple Magecart Skimmer Infections

Info Security - Wed, 03/18/2020 - 14:12
NutriBullet Experiences Multiple Magecart Skimmer Infections

The Magecart Group has revived its activity, with a skimmer placed on the website of blender manufacturer NutriBullet.

According to RiskIQ, the group is identified as Magecart Group 8, and RiskIQ was able to catch the attack as it happened. “Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims,” said Yonathan Klijnsma, head of threat research at RiskIQ.

According to an advisory on March 5, attackers placed the skimmer on the website and returned on March 10 to place a new skimmer as “the criminals still had access to NutriBullet's infrastructure and could continue to replace the skimmer domain in the code to make it work again.”

This followed an initial compromise on February 20, when the skimmer targeted the jQuery JavaScript library. RiskIQ said that this skimmer has been in use by Group 8 since at least 2018, whilst Group 8 has been active since 2016 and has reportedly compromised Amerisleep and MyPillow and Philippine broadcast company ABS-CBN in 2018.

RiskIQ said that Group 8’s preferred tactic is to focus on individual victims, rather than more widespread attacks.

The skimmer works by performing a check to see if the current page the browser is on looks like a payment page, and sets the top four variables to ensure that it's analyzing the right fields and the correct button for skimming. After it defines these variables and checks the browser's location, the top part of the skimming code grabs the field values — including some of the field names/IDs determined from the earlier defined variables — and puts all the data together. The skimmer then turns this data into a long text string that is encrypted before it goes off to the criminal-owned server.

“So far, we have observed this skimmer code on over 200 victim domains and have identified 88 unique actor-owned domains,” Klijnsma said.

RiskIQ named partners AbuseCH and ShadowServer who assisted in helping stop the active skimming on the site, but was critical of NutriBullet’s lack of response. Klijnsma said that RiskIQ researchers reached out to NutriBullet via their support channel and NutriBullet leadership via LinkedIn less than 24 hours after the incident, and continued outreach over the next three weeks.

Klijnsma said: “As of the date of this blog, our attempts at communication with NutriBullet have not been answered. The compromise is ongoing, and credit card data may still be getting skimmed, even as NutriBullet runs ad campaigns to pull in more customers.

“The company continues to put its customers at risk by ignoring our communications and offers of help. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.”

Javvad Malik, Security Awareness Advocate at KnowBe4, said: “The fact that the website has been compromised three times in as many weeks would indicate some underlying flaw that needs to be addressed urgently.”

Categories: Cyber Risk News

Trend Micro Finds and Fixes Zero-Day Bugs

Info Security - Wed, 03/18/2020 - 12:22
Trend Micro Finds and Fixes Zero-Day Bugs

Trend Micro has found and fixed several critical vulnerabilities in its products, two of which it warned are being exploited in the wild.

The security giant released patches for Apex One and OfficeScan XG on Windows, urging customers to upgrade to the latest versions “as soon as possible."

CVE-2020-8467 is a critical zero-day a vulnerability in the migration tool component of Trend Micro Apex One and OfficeScan. It could allow remote attackers to execute arbitrary code on affected machines.

CVE-2020-8468 is rated CVSS 8.0 (high) and is described as a “content validation escape vulnerability which could allow an attacker to manipulate certain agent client components” in the OfficeScan and Apex One agents.

Both of these zero-day attacks require user authentication first.

The remaining three vulnerabilities are all rated critical. CVE-2020-8470 is a bug in the Apex One and OfficeScan server, or more specifically, a vulnerable service DLL file that could allow an attacker to delete any file on the server with system-level privileges.

CVE-2020-8598 also stems from a vulnerable service DLL file, but this time one which could allow a remote attacker to execute arbitrary code on affected installations with system-level privileges.

CVE-2020-8599 relates to a vulnerable exe file on the Apex One/OfficeScan server which could allow a remote attacker “to write arbitrary data to an arbitrary path on affected installations and bypass root login.”

All three can be exploited without authentication.

“Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. Customers are encouraged to review and ensure the product servers and management consoles are restricted to trusted networks and/or users as appropriate,” the security update noted.

“In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.”

Trend Micro Research discovered the vulnerabilities in question.

Such discoveries are not uncommon in an industry more focused than most on ensuring products are bug-free. A few years back, flaws were found in offerings from 11 separate security vendors.

Categories: Cyber Risk News

Rights Group: APP Bank Fraud Cost Consumers £1bn

Info Security - Wed, 03/18/2020 - 10:35
Rights Group: APP Bank Fraud Cost Consumers £1bn

Financial institutions could have prevented hundreds of millions of pounds worth of fraud over the past three years by implementing a simple payee-checking service online, a consumer rights group has claimed.

Which? estimates that £1.1 billion has been lost to bank transfer fraud since 2017. In these cases, a scammer posing as a trusted entity tricks the victim to transfer money to a bank account under their control — known as “authorized push payment” (APP) fraud.

Because the victim has technically initiated the payment, up until recently they have had no way to claim these funds back.

However, things are changing: most UK bank users now receive a warning notice when making payments online, reminding them to check the details of any payee.

This is to be followed by a new Confirmation of Payee (CoP) initiative, whereby customers will receive a pop-up warning if the name of the payee doesn’t match the bank account details entered by the customer.

However, Which? is frustrated by the glacial pace of its implementation, with the system originally meant to go live in July 2019. It is now slated for March 31, 2020, but not all lenders will be forced to implement it.

“Only the six largest banking groups are being forced to sign up to CoP and there is even a chance that some won’t meet the new deadline,” it said.

The consumer rights group claimed that as much as £320 million in bank transfer fraud could have been prevented if such a system were put in place back in 2017. It should be noted that UK Finance estimates APP fraud at £354 million in 2018, the most recent year for which figures are available.

“This month will be decisive in demonstrating how well the industry is equipped to tackle the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code,” argued Gareth Shaw, head of money at Which?

“If the banks fall short of making these commitments themselves, the government must step in and ensure these schemes are made mandatory. Anything less would be a betrayal of millions of people at risk of falling victim to increasingly sophisticated fraudsters.”

Categories: Cyber Risk News

Cloud Database Leak Exposes 425GB of Small Biz Financial Data

Info Security - Wed, 03/18/2020 - 09:58
Cloud Database Leak Exposes 425GB of Small Biz Financial Data

Over half a million highly sensitive legal and financial documents have been leaked online by a US loans company after another cloud configuration error.

Security researchers at vpnMentor led by Noam Rotem found the database in an unsecured Amazon Web Services (AWS) S3 bucket at the end of December.

It appears to be linked to a smartphone app known as MCA Wizard, developed by New York-based fintechs Advantage Capital Funding and Argus Capital Funding, which vpnMentor claimed were likely owned by the same company.

They are said to provide “merchant cash advances” (MCAs): controversial high-interest loans for small businesses and start-ups.

However, although the database URL contained the words “MCA Wizard,” the app is no longer available and most files bore no relation to the project. Even as the researchers discovered and tried to contact the firms, without success, new files were apparently being uploaded to the database.

The 425GB trove contained highly sensitive customer information including credit reports, bank statements, driver’s licenses, Social Security info, tax returns, scanned checks, purchase orders, and much more.

With this information, attackers could launch highly convincing phishing attacks, attempt check and financial fraud, target victim companies with malware, or even sell the data on the dark web, warned vpnMentor. The leak could even be investigated under the new California Consumer Privacy Act (CCPA), it claimed.

“This leak raises serious credibility and trust issues for Advantage and Argus. By not sufficiently securing this database and revealing so much information, they have compromised the safety, privacy, and security of their clients, partners, and customers,” the firm said.

“Those affected may take action against Advantage and Argus for doing so, either from ceasing to do business with either company or possibly pursuing legal actions. Both would result in considerable loss of clients, contracts, business relationships, and ultimately, revenue.”

After receiving no reply from the database owners, the researchers went direct to AWS, which promptly corrected the privacy snafu on January 9.

Categories: Cyber Risk News

Encryption Debate Stalls Child Protection Bill

Info Security - Tue, 03/17/2020 - 16:44
Encryption Debate Stalls Child Protection Bill

Concern over the use of end-to-end encryption in the United States is preventing a bill aimed at preventing child sexual abuse from becoming law. 

In a rare example of political unification during an election year, the “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020,” or EARN IT Act, has attracted bipartisan support. 

If passed, the bill would create a government-backed National Commission on Online Child Sexual Exploitation Prevention. The commission would be tasked with developing "best practices" for owners of internet platform to "prevent, reduce and respond to" the plethora of child sexual abuse material online.

Companies that fail to comply with the best practices Congress chooses to adopt would lose their legal liability shield as defined in the Communications Decency Act. Section 230 of that act states that "no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."

While many welcome the bill as an attempt to protect children from the ruinous horrors of sexual exploitation, others view it as a sneaky attempt to limit the privacy of American citizens.

Critics of the bill anticipate that a ban on the use of end-to-end encryption in commercial services will be one of the best practices recommended by the commission. Law enforcement has warned that such encryption allows sexual predators to operate with impunity by making it impossible for companies, law enforcement, or the government to access private communication between devices. 

Senator Ron Wyden has derided the bill as a "Trojan horse to give Attorney General Barr and Donald Trump the power to control online speech and require government access to every aspect of Americans' lives."

Co-sponsor of the bill Senate Judiciary Committee chairperson Lindsey Graham stated that the proposed law had no hidden agenda, explaining that it is "not about the encryption debate, but the best business practices."

In an effort to give the bill a fighting chance of overcoming the question of encryption, one of its co-sponsors, Senator Josh Hawley, said: "I can tell you right now I will not support something that compromises the integrity of encryption for users, because I think that that's hugely significant."

Categories: Cyber Risk News

Guitar Tuition Website Suffers Six-Month Data Breach

Info Security - Tue, 03/17/2020 - 16:22
Guitar Tuition Website Suffers Six-Month Data Breach

A Florida company that offers guitar lessons online to millions of students around the world has suffered a data breach.

Unauthorized access of TrueFire's computer system went on for six months before the breach was detected on January 10, 2020. 

In a data breach notification letter dated March 9, 2020, and signed by TrueFire Chief Customer Officer Ren Wright, users who made purchases via the website truefire.com between August 3, 2019, and January 14, 2020, were warned that their data may have been compromised.

Wright said that data exposed during the lengthy breach may have included names, addresses, payment card account numbers, card expiration data, and security codes.

Though the company does not store customers' payment card information itself, it warned that threat actors with access to its computer system may have been able to steal this information in real time as users bought classes and courses.

Wright wrote: "On January 10, 2020, TrueFire discovered that an unauthorized person gained access to our computer system and, more specifically, to information that consumers had entered through our website.

"While we do not store credit card information on our website, it appears that the unauthorized person gained access to the website and could have accessed the data of consumers who made payment card purchases, while that data was being entered, between August 3, 2019 and January 14, 2020."

TrueFire did not reveal how the breach was discovered but said that it has been reported to law enforcement. The company also said that it is "working with computer forensic specialists to determine the full nature and scope of the intrusion."

The company has advised its users to review their credit and debit card statements and check for any discrepancies or unusual activity. 

"You should also remain vigilant and continue to monitor your statement for unusual activity going forward," wrote Wright. No offer was made to provide users with free credit monitoring services. 

In their breach notification letter, TrueFire gave no reason as to why they waited until March 9 to inform users of the breach that was discovered on January 10. No mention of the data breach could be found on the TrueFire website at time of publication.

Categories: Cyber Risk News

Human Traffickers Still Recruiting Victims

Info Security - Tue, 03/17/2020 - 15:28
Human Traffickers Still Recruiting Victims

Human traffickers are still recruiting fresh victims via social media and online dating platforms, according to a new warning issued by America's Federal Bureau of Investigation. 

In a public service announcement delivered yesterday, the FBI warned the public to be wary when arranging to meet someone they have met online in person. 

Human traffickers use the lure of sex, romance, and increasingly of employment to ensnare online victims, setting up fake dates and making what appear to be legitimate jobs offers. 

The FBI said that in addition to providing human traffickers with rich hunting grounds for victims, online platforms are also a favorite way for criminals to advertise victims for sale as slaves or sex workers.

"FBI investigations show that human traffickers continue to use online platforms to recruit individuals to engage in forced labor or sex work. The Internet lets human traffickers contact virtually anyone in the world, giving them an opportunity to communicate with and recruit victims domestically and internationally," said the FBI. 

"Many Americans unknowingly encounter trafficking victims through their daily activities."

Victims who have been groomed online and persuaded to meet with the trafficker aren't simply snatched off the street and bundled into a van. The process of victimization is far more sinister and gradual.

"Human traffickers target vulnerable individuals by preying on their personal situations. After establishing a false sense of trust, traffickers may force victims into sex work or forced labor," warned the FBI.

Human traffickers select users to target by mining the information people share online for vulnerabilities that can be exploited. For example, if a user shares a post saying that they have lost their job, a trafficker might trap them by offering employment. 

The FBI said: "Online platforms make it easier for traffickers to find potential victims, especially those who post personal information, such as their financial hardships, their struggles with low self-esteem, or their family problems. 

"Human traffickers target and recruit their victims by appearing to offer help, or pretending to be a friend or potential romantic partner. They leverage their victims' vulnerabilities and coerce them to meet in person."

Categories: Cyber Risk News

Student Loans Company Hit by 5.4 Million Email Attacks in 2019

Info Security - Tue, 03/17/2020 - 12:02
Student Loans Company Hit by 5.4 Million Email Attacks in 2019

The Student Loans Company (SLC) was hit by over five million email attacks last year, but appears to have weathered the cyber-storm from hackers.

A Freedom of Information (FOI) request issued by law firm Griffin Law revealed the scale and nature of the email threat to the government-owned public body, which provides funding for over 1.3 million UK students.

A total of 5,445,273 email attacks were recorded by the SLC last year, 10,125 of which were linked to malware, and 19,188 of which were phishing attempts. The vast majority, 5,415,960, were classified as spam.

Although the data does not list any successful email attacks, the scale of the threat is clear from the figures. In fact, data from security vendor Trend Micro issued recently revealed that the firm blocked nearly 48 billion email-borne threats in 2019, 91% of the total it detected during the 12 months.

Tim Sadler, CEO at Tessian, argued that the SLC was understandably a major target for cyber-criminals given the vast trove of personal and financial information it holds on UK students.

“Phishing attacks are particularly effective because they are relatively easy and inexpensive to execute — it just takes one employee to fall for the scam and the attacker can steal money, harvest credentials or install malware onto devices,” he explained.

"In the case of SLC, it's likely that hackers will impersonate a trusted brand or individual to lure individuals to fake websites in order to steal their login credentials. With these credentials, attackers can then access an individual's account and send emails on their behalf.”

If they’re able to hijack an SLC account, hackers could pose as an employee to make phishing emails to students appear even more convincing, Sadler added.

A mixture of improved employee awareness training and technology filters that can better spot malicious and spoofed emails is the key to tackling such threats.

Categories: Cyber Risk News

US VPN Use Could Soar 150% as Covid-19 Spreads

Info Security - Tue, 03/17/2020 - 11:05
US VPN Use Could Soar 150% as Covid-19 Spreads

Use of virtual private networks (VPNS) has rocketed in some of the countries hardest hit by the Covid-19 virus, according to new data from a company that supplies these services.

Atlas VPN analyzed data from its 50,000 weekly users, measuring how much traffic travelled through its servers last week (March 9-15) versus the week before (March 2-8).

While the total number of customers remained relatively the same during the two weeks, usage spiked in some of the countries suffering the most from the new coronavirus.

VPN usage in Italy increased 112% over the past week, while the figure hit 38% in Iran and 36% in Spain.

At the time of writing there were 183,000 confirmed global cases of Covid-19. Italy (28,000), Iran (15,000) and Spain (10,000) are the top three countries affected after China, where the virus originated.

The respective governments of Italy and Spain have issued “lockdown” notices that require all citizens to stay at home and bars, cafes, restaurants, stadiums, cinemas and museums to close. Home working is urged, where possible.

In Iran, where the death toll from the virus is nearly at 6%, the government has been forced to release 85,000 prisoners in an attempt to prevent serious outbreaks in the country’s jails.

Other countries where Atlas VPN noted an uptick in VPN usage included the US, where there was a 53% spike over the two-week period.

Although the infection rate there is relatively low, organizations are already ramping up home working plans as trust in the Trump administration’s response to the outbreak slips.

The vendor’s COO, Rachel Welch, said the figures could increase even further over the coming months.

“We estimate that VPN usage in the US could increase by over 150% by the end of the month,” she said. “Overall, the usage of VPNs should continue to surge if the coronavirus pandemic worsens.”

Home workers are most likely taking advantage of VPNs to secure communications with corporate networks, while closed schools mean children and parents are using them in greater numbers to circumvent geo-restrictions to view their favorite entertainment content from around the globe, Atlas VPN suggested.

Categories: Cyber Risk News

Over a Quarter of Security Alerts Are False Positives

Info Security - Tue, 03/17/2020 - 10:20
Over a Quarter of Security Alerts Are False Positives

More than a quarter of security alerts fielded within organizations are false positives, according to new research from the Neustar International Security Council (NISC).

The NISC surveyed senior security professionals across five European markets and the US, highlighting the risks of alert fatigue currently being faced by businesses around the world.

As detailed in the research, more than two-fifths (43%) of organizations experience false positive alerts in more than 20% of cases, while 15% reported more than half of their security alerts are false positives.

The survey also revealed that enterprises, in response to growing cybersecurity threats, are investing more resources in network monitoring and threat intelligence technologies that create more alerts – and thus more false positives – for security teams.

“Security tools that simply produce large quantities of data to be analyzed, without contextualizing potential threats, are contributing to data overload, alert fatigue and burnout,” said Rodney Joffe, chairman of the NISC and SVP and fellow at Neustar.

“Cybersecurity teams are increasingly drowning in data and are overwhelmed by the massive volume of alerts, many of them false positives. To ensure these high-value employees in mission critical roles are well-equipped to separate the signal from the noise, enterprises need a curated approach to security data that provides timely, actionable insights that are hyper relevant to their own organization and industry.”

Curated threat data helps enterprises to counter real threats more effectively and spend less time chasing false positives, Joffe concluded.

Categories: Cyber Risk News

Agents Arrest 24 on $30m Money Laundering Charges

Info Security - Tue, 03/17/2020 - 09:38
Agents Arrest 24 on $30m Money Laundering Charges

Federal agents have arrested 24 individuals on suspicion of acting as money launderers for an online fraud operation that is said to have made over $30m.

Businesses and individuals are said to have lost the funds through various business email compromise (BEC), romance fraud and retirement account scams, among others.

The 24 defendants are accused of laundering funds from the schemes through bank accounts in the US and across the globe.

They’re alleged to have created fake companies and used fake and victim identities to open bank accounts, before transferring funds, quickly withdrawing them and then circulating the money among the other defendants.

Of the 24, Darius Sowah Okang, 29, of Stone Mountain, Georgia, is also charged with one count of bank fraud and one count of aggravated identity theft, after creating a bank account in a retirement account scam victim’s name and depositing $288,000 of their money in it.

Afeez Olaide Adeniran, 31, of Atlanta, Georgia, and Blessing Ojo, 34 of Nigeria, are also charged with one count of wire fraud. Adeniran is accused of defrauding a homebuyer of $40,000 intended for a real estate transaction, while Ojo is said to have masterminded a false invoicing scam that duped a Californian media company into wiring $646,840 to a bank account controlled by one of the defendants.

A further 17 individuals are awaiting charges of bank fraud, aggravated identity theft, money laundering, and conspiracies to commit these offenses from a federal court in Atlanta.

The charges highlight how rampant online fraud is today. BEC scammers made almost $1.8bn in 2019, over half the $3.5bn total cybercrime losses reported to the FBI, according to a recent report. Confidence and romance scams were in second place, netting scammers $475m.

“Fraud schemes, like the ones perpetrated and facilitated by these defendants, inflict considerable losses on citizens, companies and the financial system,” said US attorney Byung Pak. 

“Some of these schemes target the elderly and often deplete the victims’ entire life savings. These arrests affirm the Department of Justice’s commitment to prosecuting those who prey on our most vulnerable citizens.”

Categories: Cyber Risk News

Illinois College Suffers Data Breach

Info Security - Mon, 03/16/2020 - 19:07
Illinois College Suffers Data Breach

An Illinois college is offering nearly free credit monitoring to over 1,700 current and former employees following a recent data breach.

Officials at the College of DuPage confirmed on Monday that a cybersecurity incident had taken place recently. 

College president Brian Caputo said that personal and tax information belonging to 1,755 staff had been compromised. Data exposed in the incident included 2018 W-2 tax forms.

Caputo told the Daily Herald that the likelihood of the exposed information's being obtained by criminals or used for fraudulent purposes was low.

"However, the responsibility to protect private information is taken very seriously," Caputo said in a statement. "Therefore, the college is notifying the affected individuals out of an abundance of caution."

In addition to issuing breach notifications, the Glen Ellyn college is offering credit monitoring and identity protection services to current and former employees free of charge.

Caputo added that in a bid to prevent any future breaches, additional procedural safeguards have been implemented. 

An investigation into how the breach occurred is yet to produce any conclusive results. The college has not stated when the incident occurred or when it was discovered, nor shared any details regarding how the sensitive data came to be exposed.

"College of DuPage sincerely regrets this unfortunate incident and apologizes for any concern it may cause," Caputo said.

News of the cybersecurity incident comes as the college implements an alternative instruction plan in the wake of the COVID-19 pandemic. So far, no cases of the novel coronavirus have been confirmed among students, faculty, or staff. 

Elsewhere in the state, attackers infected the website of Champaign-Urbana Public Health District in Illinois with NetWalker ransomware last Wednesday. 

The cyber-attack was timed to hit as Americans clamor for up-to-date health advice and information amid the spread of COVID-19. 

"The timing is horrible," said health department administrator Julie Pryde on March 11. “The public needs to know it’s being taken care of, and we’re still functioning."

With the department's website temporarily out of service as a result of the attack, CUPHD used its social media accounts to share information on the coronavirus. 

Fortunately, the health department's website was back up and running by March 12.

Categories: Cyber Risk News

Checkmarx to Be Acquired by Hellman & Friedman

Info Security - Mon, 03/16/2020 - 17:19
Checkmarx to Be Acquired by Hellman & Friedman

Insight Partners has agreed to part with application and software security company Checkmarx in a billion-dollar deal. 

Once the deal is complete, Checkmarx will be owned by global private equity firm Hellman & Friedman, though Insight Partners will retain a substantial minority interest.

Checkmarx is to be acquired at a valuation of $1.5bn, making the planned transaction the largest acquisition of an application security company to date.

Among Checkmarx's 1,400 customers in 70 countries are 40 Fortune 100 organizations, including SAP, Samsung, and Salesforce.com.

Since being founded in 2006, Israel-based Checkmarx has been led by CEO Emmanuel Benzaquen and CTO and founder Maty Siman. Currently, the company employs more than 700 employees in 22 countries. 

"This acquisition is a clear testament to Checkmarx’s inimitable global team who have ensured our leadership position in software security, as well as to the significant role our technology plays in the broader cybersecurity industry," said Benzaquen.

The CEO went on to say that the company's planned partnership with Hellman & Friedman would enable Checkmarx to reach even dizzier heights of achievement. 

He said: "More than 40 of the Fortune 100 have turned to Checkmarx to mitigate risk, secure code, and embed security into every aspect of their software development. We are thrilled to partner with H&F in our journey that takes our ‘software equals security’ vision to the next level."

Insight Partners managing director Richard Wells praised the progress Checkmarx has made in recent years. 

"Even before we invested in the Company in 2015, we have been continuously impressed by the leadership to come out of this team of game changers and innovators," said Wells.

"Maty and Emmanuel are two of the cybersecurity industry’s top operators and we have been thrilled to have supported their stratospheric growth over the last five years. We will remain active supporters and vocal champions of the Checkmarx team."

Evercore acted as lead financial advisor and Stifel as advisor for this transaction. RBC acted as lead financial advisor and Simpson Thacher as legal counsel to H&F. HFN acted as legal counsel to Checkmarx, and Willkie Farr & Gallagher acted as legal counsel to Insight Partners.

Categories: Cyber Risk News

US Health Department Hacked Amid Coronavirus Pandemic

Info Security - Mon, 03/16/2020 - 16:47
US Health Department Hacked Amid Coronavirus Pandemic

Cyber-attackers have hacked the US Health and Human Services Department as America works hard to minimize the impact of the COVID-19 virus. 

The intrusion occurred on Sunday night and is thought to have been motivated by a desire to slow the agency down and spread misinformation among the public.

After compromising the department's system, attackers circulated a false claim that the American government planned to introduce a nationwide lockdown.

The erroneous rumor that every American would be ordered to self-quarantine at home was quashed by the National Security Council. Just before midnight on Sunday, the NSC published the following statement on Twitter: “Text message rumors of a national #quarantine are FAKE. There is no national lockdown. @CDCgov has and will continue to post the latest guidance on #COVID19.”

Earlier today, a spokesperson for the NSC said: "We are aware of a cyber incident related to the Health and Human Services computer networks and the federal government is investigating this incident thoroughly. . . . HHS and federal networks are functioning normally at this time."

According to Bloomberg, the cyber-attack on the Department of Health and Human Services consisted of multiple incidents but is not believed to have resulted in the theft of any data. 

Bloomberg's senior White House reporter Jennifer Jacobs said the multi-pronged assault on the health department included a DoS attack.

Writing on Twitter earlier today, Jacobs stated: "The hack yesterday involved overloading the HHS servers with millions of hits over several hours, sources tell me."

Reporting on the intrusion earlier today, Bloomberg said Secretary of State Michael Pompeo and other Trump administration officials are aware of the incident.

No definitive proof has been found as to who perpetrated the multi-hack. Thoughts on where the attack may have originated are so far purely speculative. 

Commenting on the attack, Jake Moore, cybersecurity specialist at ESET, said: “Suffering a cyber-attack in the midst of a pandemic adds salt to the wound when organizations are already at full stretch. 

"We all need to be more vigilant at the moment and take even more caution when communicating remotely."

Categories: Cyber Risk News

Rail Thieves Prosper as Mobile Device Thefts Jump 62%

Info Security - Mon, 03/16/2020 - 11:30
Rail Thieves Prosper as Mobile Device Thefts Jump 62%

Thousands of mobile devices are stolen on UK trains every year, with the number soaring 62% over the past two years, according to new Freedom of Information (FOI) data.

Absolute Software submitted the FOI requests to the British Transport Police (BTP), which covers the entire rail network including regional light railways such as the London Underground, Docklands Light Railway, the Midlands Metro tram system, Croydon Tramlink, Tyne and Wear Metro and Glasgow Subway.

It claims that 8.6 million travellers use these networks every day. However, the chances of them having a mobile device stolen whilst using the train appear to be increasing.

The number of devices that went missing over the last two calendar years jumped from 5516 reported instances in 2018, to 8918 last year.

Most common was the “mobile phone and accessories” category, which accounted for 11,460 thefts over the period. Incidents jumped from 4207 in 2018 to 7253 in 2019, an increase of 72%.

Next came “laptops, tablets, and personal digital assistants,” of which 2974 were stolen in the last two calendar years: 1309 in 2018, and 1665 in 2019, an increase of 27%.

Andy Harcup, VP at Absolute Software, argued that commuters are “sending all the wrong signals” to rail thieves.

“With the rise of flexible and remote working, many of these devices will contain critical workplace data and confidential company information that could easily fall into the hands of malicious fraudsters,” he warned.

“Tackling this issue requires rail users to be vigilant against opportunist thieves, as well as companies doing much more to protect and secure all company devices. Key to this effort is incorporating endpoint cybersecurity software, so their vulnerabilities are self-healing, resilient and can be remotely tracked and frozen if they end up in the wrong hands.”

Categories: Cyber Risk News

UK Spies Hunt Down Covid-19 Threats

Info Security - Mon, 03/16/2020 - 10:20
UK Spies Hunt Down Covid-19 Threats

The UK’s National Cyber Security Centre (NCSC) has stepped in to remove malicious and phishing websites linked to Covid-19 scams, but warned that attacks could increase if the outbreak does.

The GCHQ body said that phishing efforts using the Coronavirus as a lure have led to victims losing money and sensitive data across Europe.

It urged businesses and consumers to consult its advice on email scams and dealing with malware to better insulate them from the threat of ransomware, credential theft and fraud.

“The NCSC has seen an increase in the registration of web pages relating to the Coronavirus suggesting that cyber-criminals are likely to be taking advantage of the outbreak,” it said.

“Continued global susceptibility to phishing will probably make this approach a persistent and attractive technique for cyber-criminals. Moreover, if the outbreak intensifies, it is highly likely that the volume of such attacks will rise.”

Security vendors have been sounding the alarm over phishing attacks for more than a month. Emails are often spoofed to appear as if sent from the World Health Organisation (WHO), the US Center for Disease Control (CDC) or other official bodies, and claim to contain new information on the outbreak in an attachment or via a link.

Some are laden with malware while others request the user enter their email and password, Outlook log-ins or other credentials to proceed. There are also reports, cited by the NCSC, of fraudsters requesting Bitcoin donations to fund a fake vaccine, and even scam sites selling fake antiviral equipment.

“We know that cyber-criminals are opportunistic and will look to exploit people’s fears, and this has undoubtedly been the case with the Coronavirus outbreak,” said NCSC director of operations, Paul Chichester.

“Our advice to the public is to follow our guidance, which includes everything from password advice to spotting suspect emails. In the event that someone does fall victim to a phishing attempt, they should look to report this to Action Fraud as soon as possible.”

Categories: Cyber Risk News

Half of UK Firms Suffer Basic Cyber-Skills Gaps

Info Security - Mon, 03/16/2020 - 09:57
Half of UK Firms Suffer Basic Cyber-Skills Gaps

The number of UK companies with a basic cybersecurity skills gap has dropped from 2018 but still stands at around half of all businesses, according to a new government study.

The Department for Digital, Culture, Media & Sport (DCMS) report is compiled from analysis of labor market databases, interviews with training providers and quantitative surveys with UK organizations.

Although down from 54% in 2018, 48% of firms still have staff unable to carry out the basic tasks outlined in the government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware, it warned.

The report claimed that 30% of UK businesses also lacked more advanced cyber-skills in areas such as pen testing, forensics and security architecture, while over a quarter were understaffed in terms of incident response (27%).

Other skills in high demand included: threat assessment or information risk management, assurance, audits, compliance or testing, cybersecurity research, implementing secure systems and governance and management.

Two-thirds (64%) admitted they suffered problems with cybersecurity skills gaps and a quarter (25%) complained that this had seriously impacted business goals. A third (35%) of employers reported vacancies being hard to fill, either because applicants lacked technical skills or knowledge (43%) or relevant soft skills (22%).

The government report also claimed that just 15% of the current cybersecurity workforce is female, much less than the 24% global figure reported by (ISC)2. Diversity is lacking elsewhere: just 16% come from ethnic minority backgrounds and only 9% were classed as neurodivergent.

However, on the plus side, more businesses today than in 2018 have carried out a formal analysis of their training needs (22% versus 14%) and more consider it essential to have incident response skills (23% versus 17%).

The government called for greater investment in technical skills and training, more relevant courses from schools, universities and training providers, and a more open attitude from recruiters.

“Many employers could benefit from broadening their recruitment practices, to employ more career starters, apprentices, graduates, people transitioning from other sectors or roles outside cybersecurity, and those from diverse groups,” it said.

Categories: Cyber Risk News

US Scraps Missiles Over Cybersecurity Concerns

Info Security - Fri, 03/13/2020 - 18:09
US Scraps Missiles Over Cybersecurity Concerns

America has abandoned plans to introduce an Israeli-made missile system over fears that it may not be cyber-secure.

The US Army spent $373m on the purchase of two batteries of Iron Dome missiles last year. Plans to spend a further $600m on two new batteries and Iron Dome components by 2023 have now been scrapped after Israel reportedly refused to hand over the system's source code.

Without access to the source code, the army cannot integrate the batteries with its other air defense systems. The army is concerned that failure to integrate the batteries could create serious cybersecurity vulnerabilities.

Speaking to the House Armed Services Tactical Air and Land Forces Subcommittee on March 5, Gen. Mike Murray, commander of Army Futures Command, said: "It took us longer to acquire those [first] two batteries than we would have liked. 

"We believe we cannot integrate them into our air-defense system based upon some interoperability challenges, some cyber[security] challenges and some other challenges. So, what we ended up having is two stand-alone batteries that will be very capable, but they cannot be integrated."

Attempts to integrate the Iron Dome system with the US Army’s Integrated Battle Command System (IBCS) last year caused several challenges, including cyber-security problems. 

Murray said it would be “exceptionally difficult to integrate Iron Dome into our layered air-defense architecture [and] to get Iron Dome to talk to other systems [and] other radars, specifically the Sentinel radar.” 

“What you’re probably—almost certainly—going to see is two stand-alone systems. And if the best we can do is stand-alone systems, we do not want to buy another two batteries."

The two Iron Dome batteries purchased by the US Army included 12 launchers, two sensors, two battlement management centers, and 240 interceptors.

Iron Dome was first deployed by Israel outside Beersheba in April 2011. The system was built by Rafael Advanced Defense SystemsIsrael Aerospace Industries, and Raytheon, which manufactures the American-made Patriot missile system. 

Ironically, Iron Dome was largely financed by American taxpayers when Congress agreed in 2012 to give Israel $1.5bn to develop and produce the system.

Categories: Cyber Risk News

Info-Stealing Coronavirus Threat Map Detected

Info Security - Fri, 03/13/2020 - 17:14
Info-Stealing Coronavirus Threat Map Detected

Cyber-criminals have launched a fake coronavirus threat map website to steal personal information from a panicked public.

The new site joins a growing number of scams exploiting COVID-19, proving that while the world may be running out of hand sanitizer, criminals are not running out of new ways to exploit human fear and curiosity.

The map was found doing its dirty work via the link corona-virus-map.com.exe by Reason Labs researcher Shai Alfasi. Victims who visit the page are shown a map of the globe highlighting to which countries the virus has spread together with stats on the number of deaths and infections recorded.

To give the fake and malicious map an extra aura of authenticity, criminals have designed it to mimic a legitimate COVID-19 threat map created by Johns Hopkins University that similarly shows countries hit by the virus together with the latest statistics.  

"The malware has a graphical user interface that looks very good and convincing," said Alfasi.

Alfasi discovered emails containing links to the bogus map. Victims who clicked on the links unknowingly activated malicious information-stealing software. 

"This technique is pretty common. I came across it once before, and after doing some digging around, discovered that this information-stealing tactic came from a malware family called 'AZORult,' which was first seen in the wild in 2016," said Alfasi.

AZORult is commonly sold on Russian underground forums for the purpose of collecting sensitive data from an infected computer. 

The malware can be used to steal browsing history, cookies, ID/passwords, cryptocurrency, credit card information stored in users' browser history, and more. It can also download additional malicious software onto infected machines. 

In the course of his research, Alfasi observed the malware "looking for different cryptocurrency wallets such as Electrum and Ethereum."

Describing how the malware works, Alfasi said: "When the victim gets infected, the malware extracts data and creates a unique ID of the victim’s workstation. It then applies XOR encryption using the generated ID. This ID is used to tag the workstation in order to start C2 communication. 

"The C2 server responds with configuration data, which contains target web browser names, web browser path information, API names, sqlite3 queries, and legitimate DLLs."

Categories: Cyber Risk News

Threat-Thwarting Guidance Published for Cargo Ships

Info Security - Fri, 03/13/2020 - 15:24
Threat-Thwarting Guidance Published for Cargo Ships

A Dutch nonprofit has published new guidance to help cargo ships repulse cyber-attacks.

The Digital Container Shipping Association (DCSA) unveiled its "DCSA Implementation Guide for Cyber Security on Vessels" on Tuesday. 

The document was designed to facilitate vessel readiness for the IMO (International Maritime Organization) Resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management Systems. 

Produced in conjunction with nine of the organization's member carriers, the guide outlines best practices for ocean carriers and provides shipping companies around the world with a common language with which to discuss the cyber-threats faced by their industry.

DCSA's new guide breaks down the implementation of an effective cybersecurity strategy into five key areas: Identify, Protect, Detect, Respond, Recover. 

Rather than a one-size-fits-all approach, advice is tailored to the company's level of cyber-maturity and explanations and recommendations are written in non-technical language to make the document user-friendly. 

Thomas Bagge, DCSA CEO, said there was a need for shipping to raise its level of cybersecurity preparedness up to that of other industries that have already taken steps to secure themselves. 

“As shipping catches up with other industries such as banking and telco in terms of digitization, the need for cyber risk management becomes an imperative,” said Bagge.

He went on to explain how the economic importance of shipping made the industry a prime target for threat actors. 

Bagge said: "Due to the global economic dependence on shipping and the complex interconnectedness of shipping logistics, cyber-attacks such as malware, denial of service, and system hacks can not only disrupt one carrier’s revenue stream, they can have a significant impact on the global economy."

While advice on cybersecurity differs from country to country and from government to government, the DCSA tasks itself with providing objective guidance that doesn't favor a particular business or nation.

Bagge explained: "As a neutral digital standards organization, DCSA is uniquely positioned to help vessel owners mitigate the increasing risk of cyberattack on their ships, and in turn, on the industry at large."

Head of maritime safety and security for the Baltic and International Maritime Council Jakob Larsen said the new guidance "provides a thorough and refreshing deep dive into the challenge of how to implement cyber risk management in a shipowner company."

Categories: Cyber Risk News