Feed aggregator

Oregon City Pays $48,000 Cyber-Ransom

Info Security - Tue, 06/23/2020 - 13:49
Oregon City Pays $48,000 Cyber-Ransom

A city in Oregon has paid a ransom of $48,000 to regain control over its computer network following a cyber-attack. 

The city of Keizer's computer system was successfully targeted by threat actors using ransomware in the early hours of June 10. The attack left officials unable to access either files or their email accounts for a full seven days.

In a hand-delivered statement viewed by Oregon Live shortly after the attack was carried out, city officials said: “We are taking this seriously, and are working to resolve the situation as quickly as possible."

Unable to recover the encrypted files themselves, despite engaging the help of the "appropriate authorities," officials eventually acquiesced to the ransom demand issued by the attacker(s). 

Subsequently, by around 11:45am on June 17, employees of the Marion County city were able to once again access their email accounts and files. 

The ransomware attack was first detected on the morning of June 10 when city employees tried and failed to access the data and programs they rely on to carry out their duties. 

A city spokesperson said: “We were presented with a request for a ransom payment needed to obtain the needed decryption keys."

While the city was unable to fend off this particular cyber-attack, officials are hopeful that lessons have been learned from it that will prove useful in the event of further digital strikes. 

“We believe that the forensic investigation could provide critical information to defend against attacks in the future,” said a city spokesperson. 

The city said that no sensitive data appears to have been accessed or misused as a result of the ransomware attack.

Keizer isn't the only place in Oregon to be targeted by ransomware this year, nor is the city alone in its decision to pay up to retrieve encrypted files and data. In January of this year, a ransom of $300,000 was paid by Tillamook County to recover information held hostage by cyber-criminals following a ransomware attack.

The county's commissioners voted unanimously to negotiate with the attackers for an encryption key after attempts to safely recover data impacted by the attack failed.  

Categories: Cyber Risk News

Praise for Online Harms Plan, Action Needed on Fake News

Info Security - Tue, 06/23/2020 - 13:00
Praise for Online Harms Plan, Action Needed on Fake News

Speaking at the Westminster eForum policy conference on identifying and tackling the key issues in the online space and assessing the industry’s response so far, Professor Victoria Nash, deputy director, associate professor and senior policy fellow at the Oxford Internet Institute, said she admired but “was anxious about the breadth” of the Online Harms whitepaper, and the lack of distinction between legal and illegal online harms.

She said she had been very pleased to see a “clear distinction between the attention that will be given to the illegal harms and an approach in the context of legal but harmful which focuses more on procedure and governance and encouraging responsible behaviors by companies rather than focusing on specific pieces of content and having them removed.”

In particular, she argued there was room to establish the role of the regulator in being able to consider how to credit those technology companies who are proactive, as well as take action against problematic issues.

Highlighting recent events, Nash said that some of these represent the issues for regulators and technology companies going forward. She flagged the issue of hate speech, as reports continue around Facebook removing adverts, which she called “a failure to deal with the rise in hateful content,” and she said that the Oxford Internet Institute’s own research has seen a rise in hate speech since the COVID-19 pandemic began.

“At a time when we are asking companies to do more and to step up and reduce this content online, the nature of that content continues to advance and change, which poses challenges,” she said. “The other thing we need to bear in mind about that is that there is a tension between a need to remove content rapidly, but perhaps we give companies less credit for doing so accurately.”

Discussing the challenges posed by disinformation, Nash said the importance of this has been “magnified over the past few months.” She said as an academic, the spread of this issue has been monitored but “the speak of junk news may reach more individuals” than a genuine news story.

“While tackling it is a challenge and we understand its spread, we don’t understand its effects,” she stated. “So if companies are taking a proportionate and risk-based approach to removing content on their platforms, what does that look like in regard to disinformation? Does it mean removing it, does it mean de-ranking it, does it mean flagging it?”

She said there are no clear answers to those questions yet, but the whitepaper, regulator and technology companies need to deal with these issues.

“Whilst we’re closer to having a policy framework that is appropriate and likely to be effective in reducing our exposure to online harms, the nature of the challenge is not becoming any less complex,” she said. In particular, support for the technology companies will be necessary.

In a question posed by Infosecurity about the need for human moderators to work alongside AI and machine learning to flag harmful content, Susie Hargreaves, chief executive of the Internet Watch Foundation, said it was important to have human moderation, even while technology improves, but there is no “magic bullet” yet. “We are at a stage where the technology is developing, but we cannot get away from the need for human moderation,” she said.

Ben Bradley, head of digital regulation at techUK, said there are technical solutions on disinformation where you can see, detect and disrupt actions, but the larger challenge is how misinformation develops over time. “While you can build the tools, it does emphasize the need for greater thinking around this,” he said.

Categories: Cyber Risk News

DCMS Details Online Harms Bill as Age Verification Faces Potential Revival

Info Security - Tue, 06/23/2020 - 11:00
DCMS Details Online Harms Bill as Age Verification Faces Potential Revival

The Age Verification law is set to be revived for the UK Government’s online harms bill.

Speaking at the Westminster eForum policy conference around next steps for online regulation in the UK, Sarah Connolly, director, security and online harms at DCMS, said that age verification “has a fairly troubled history” and it is the intention of DCMS “to roll it into the wider online harms agenda, so that will be the vehicle that will make changes.”

The Age Verification proposals were previously met with conflict over practicalities, both in ensuring that it was operated efficiently, and over the data protection of those approved. Under the proposal, pornography websites would be required to verify that users are aged 18 or older. Suggested ways of doing this included running verification checks on credit cards, or by making verification passes available to purchase from newsagents on the presentation of photo ID.

However, the plan was abandoned in October 2019 due to implementation difficulties.

Speaking on the plans for the Online Harms bill, Connolly said “we all know that the internet is used to abuse, to bully, to promote terrorism, to abuse children and to undermine democracy.” As a result, in the four years she has been working on this issue, there has “been a real momentum to get something done in this space,” but the challenge is to do the right thing in an “incredibly complex area.”

Part of the plan is to enshrine a government duty of care among websites and networks where users are able to share user generated content, and this duty will be enforced by an independent regulator whom government is yet to name.

“This is not something we can do alone, and we’re pretty clear that lots of stakeholders will have a role in helping us tackle this public policy concern,” she said.

Connolly said work continues on the policy, and intends to publish a full government response before the end of the year. “I don’t think for a moment that government has a monopoly of good ideas on this, that is why my team and I are keen to talk and listen to you all, including to people who disagree with our approach as we have changed positions previously in response to those conversations, as it is an immensely complex and difficult issue and it is really important that we get it right,” she said.

Categories: Cyber Risk News

US .Gov Domains to Preload HSTS for Maximum Security

Info Security - Tue, 06/23/2020 - 10:40
US .Gov Domains to Preload HSTS for Maximum Security

US government websites are taking another major step forward to becoming more secure after it was announced that all .gov TLDs would be changed to enforce HSTS preloading.

The DotGov program made the announcement on Sunday, stating that all new .gov domains will be automatically preloaded from September 1 2020. The transitioning of historical ones will take longer.

The HSTS standard ensures a user’s browser always enforces an HTTPS connection to a website, including preventing users from clicking through if the domain has a certificate error.

“For a user to take advantage of HSTS, however, their browser has to see the HSTS header on a site at least once. This means that users are not protected until after their first successful secure connection to a given domain, which may not occur in certain cases,” wrote DotGov.

“To solve this problem, a domain can be submitted to the HSTS preload list, a list of domains embedded into browsers that get HSTS enabled automatically, even for the first visit. Domains that preload protect their entire ‘namespace,’ including all current or potential subdomains.”

Although new .gov TLDs will be preloaded automatically from September, existing ones will take much longer to transition. If preloading was switched on today, those that don’t currently offer HTTPS would become inaccessible to users, DotGov warned.

The organization is collaborating with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to ensure .gov domain owners are ready for the move, but said it would take some time.

“Actually preloading is a simple step, but getting there will require concerted effort among the federal, state, local and tribal government organizations that use a common resource, but don’t often work together in this area,” it explained.

“With concerted effort, we could preload .gov within a few years.”

All US government agencies were supposed to have made their websites accessible through HTTPS-only via HSTS by the end of 2016.

Categories: Cyber Risk News

Two-Fifths of Firms May Replace Email After #COVID19

Info Security - Tue, 06/23/2020 - 09:45
Two-Fifths of Firms May Replace Email After #COVID19

Over two-fifths of businesses are considering replacing email as their primary communications channel as the country begins to open-up again after lockdown, according to a new report.

Think tank Parliament Street commissioned the poll of 200 senior decision makers in medium and large UK firms to better understand how COVID-19 will change the world of work going forward.

Some 43% claimed they were “actively considering replacing email” as the main form of online communication for employees, with cloud- and app-based alternatives.

Real-time chat capabilities in cloud-based platforms can offer more efficient ways for staff to collaborate from within documents they are all working on, argued Zoho’s European managing director, Sridhar Iyengar.

“With remote working more widespread than ever, it is inevitable that these new communication methods, which instigate faster decisions, more streamlined processes and instant approvals, are superseding email in many cases as preferred tools for employee communication,” he continued.

“Not all communication is needed to be in real-time, but these other channels can do a better job of replicating the speed of in-person office work when more timely responses are required.”

Email is also more exposed to cyber-threats than end-to-end encrypted online alternatives. Half (51%) of global firms suffered a ransomware attack, 58% saw an increase in phishing and 60% experienced an uptick in impersonation attacks via email over the past year, according to Mimecast.

Although the government has lifted lockdowns imposed on non-essential retailers and is set to allow hospitality businesses to open up from July, organizations that can are still urged to support remote working for as many staff as possible.

Half of those firms surveyed by Parliament Street said they will continue to mandate working from home for all employees, even once the country returns to ‘normal.’

Some 61% said they’re looking to refresh their digital strategy to make flexible working easier and 64% are training staff remotely to improve their skills in this area.

Those findings chimed with what Sonny Sehgal, CEO of managed services firm Transputec, is seeing.

“By embracing IT as an enabler of workplace change, forward-thinking businesses will be able to move forward swiftly, empowering a new generation of staff through flexible and productive working practices,” he said.

Categories: Cyber Risk News

BlueLeaks Exposes Police Files Dating Back 24 Years

Info Security - Tue, 06/23/2020 - 08:44
BlueLeaks Exposes Police Files Dating Back 24 Years

A major supply chain breach appears to have led to the exposure of hundreds of thousands of sensitive US police records dating back over two decades.

WikiLeaks-like organization Distributed Denial of Secrets released the trove on Friday, claiming it contained 10 years of data from over 200 police departments, fusion centers and other training and support resources. Fusion centers are designed to promote info-sharing between state and local police departments.

“BlueLeaks provides unique insights into law enforcement and a wide array of government activities, including thousands of documents mentioning #COVID19,” the group tweeted.

The 269GB trove contains “police and FBI reports, bulletins, guides and more,” it said.

A National Fusion Center Association (NFCA) alert seen by journalist and researcher, Brian Krebs, apparently confirmed the breach but claimed the leaked data actually dates back 24 years, to August 1996.

It is said to contain names, email addresses, phone numbers, ACH routing numbers, international bank account numbers (IBANs), as well as personally identifiable information (PII) and images on suspects.

“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA reportedly wrote.

“Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

There are fears that the data could endanger lives, if used by organized crime groups to unmask undercover police officers and witnesses, whilst potentially causing reputational harm to suspects who were subsequently released.

“It's no surprise that law enforcement was the target of this data breach. With the current civil and political climate, a wide range of threat actors, from activists to nation states, would be interested in revealing this sort of confidential information,” argued Gurucul CEO, Saryu Nayyar.

“Now is a good time to review and update security postures, policies and tools, especially where they involve third party vendors and SaaS applications that may not give an organization direct control of their sensitive data.”

Categories: Cyber Risk News

Florida School Board Member Blames Controversial Facebook Post on Hacker

Info Security - Mon, 06/22/2020 - 17:33
Florida School Board Member Blames Controversial Facebook Post on Hacker

A member of a Florida school board has denied responsibility for a social media post that implied her professional achievements had not been acquired via white privilege.

Broward School Board member Ann Murray claims that a controversial meme that appeared on her personal Facebook page on Sunday, June 21, was posted by a hacker who had compromised her account.

The meme, which was criticized as racist by some other Facebook users, was shared on 77-year-old Murray's page at around 5:30pm after being posted by another user, Keith Medford, on June 8. 

The content of the meme appears to imply that there is no inherent career advantage to being white.

It read: “When I was born, they must have ran out of white privilege because I had to work my ass off to get where I am.”

Murray was distraught by the appearance of the post on her page and swore on her husband's grave to the Sun Sentinel that she was not responsible for sharing it.

“Goodness gracious. Why would I put something out there like that?” said Murray.

“I only post funny things, mostly about animals."

The school board member said that she was now considering closing her Facebook account down following repeated hacks of her page.

“That’s the second time in two months my Facebook page has been hacked," said Murray. "I may be shutting the whole thing down."

The controversial meme denying the existence of racial bias in the workplace was removed from Murray's page by 9pm on the day on which it was posted, but not before other Facebook users had torn into the school board member for apparently sharing it.

Commenters described what they believed to be Murray's actions as “racist,” “tone-deaf,” “disgusting,” and “reprehensible.” The supposed sharing of such a grammatically incorrect message by a school board member attracted no criticism. 

Following the post's removal, Murray posted a message stating that Facebook customer service had notified her “about UNUSUAL account activity, with someone signing in from UNRECOGNIZED DEVICES.”

She added: “I apologize for anything that posted, that was disrespectful.”

Previous posts on Murray's Facebook page include messages supporting America's black community such as AFL-CIO endorsements of prominent black political candidates and a quote from Martin Luther King Jr.

Categories: Cyber Risk News

DIA Analyst Jailed for Disclosing Secrets to Journalist Girlfriend

Info Security - Mon, 06/22/2020 - 16:30
DIA Analyst Jailed for Disclosing Secrets to Journalist Girlfriend

A former employee of the United States Defense Intelligence Agency (DIA) has been imprisoned for passing classified information to journalists "for personal gain."

Henry Kyle Frese worked for the DIA from February 2018 to October 2019 as a counterterrorism analyst and held a Top Secret / Sensitive Compartmented Information security clearance. 

The 31-year-old resident of Alexandria, Virginia, was found guilty of passing secrets relating to the weapons capabilities of some foreign countries to two journalists on multiple occasions in 2018 and 2019. 

According to court documents, Frese and a female reporter referred to as Journalist 1 were romantically involved and lived together at the same residential address from January 2018 to November 2018. 

United States government agencies have confirmed that in the spring and summer of 2018, a news outlet published eight articles, all authored by the same journalist (Journalist 1), that contained classified information regarding the capabilities of certain foreign countries’ weapons systems.  

These articles contained classified intelligence from five intelligence reports (the compromised intelligence reports) made available to appropriately cleared recipients in the first half of 2018. 

Frese, who followed Journalist 1 on Twitter, re-tweeted her posts announcing the publication of articles containing the classified information that he had searched for on a classified US government computer system and supplied to her. 

“Frese repeatedly passed classified information to a reporter, sometimes in response to her requests, all for personal gain,” said Assistant Attorney General for National Security John Demers. 

Journalist 2 began texting and speaking to Frese after the pair were introduced by Journalist 1 in or about April 2018. Following the introduction, Frese stated in a Twitter direct message sent to Journalist 1 that he was “down” to help Journalist 2 if it would help the career of Journalist 1 “progress.”

Between mid-2018 and late September 2019, Frese orally transmitted information classified at the Top Secret level to Journalist 1 on 12 separate occasions and transmitted information classified at the Secret level to Journalist 1 on at least four occasions. 

Zachary Terwilliger, US attorney for the Eastern District of Virginia, said Frese’s actions "had real consequences and caused actual harm to the safety of this country and its citizens.”

Frese was sentenced on June 17 to 30 months behind bars.

Categories: Cyber Risk News

Indonesia Denies #COVID19 Test Data Breach

Info Security - Mon, 06/22/2020 - 15:45
Indonesia Denies #COVID19 Test Data Breach

An alleged breach of COVID-19 test result data is being investigated by authorities in Indonesia.

Concerns over a possible breach were raised after a hacker tried to sell what they claimed was the personal information of hundreds of thousands of people who had been tested for the novel coronavirus in Indonesia on an online forum.

Posting on the database sharing and marketplace forum RaidForums on June 18, the alleged hacker claimed to have exfiltrated the test results and personal details of 230,000 people. 

The possible cyber-criminal posted a for-sale notice under the username "Database Shopping." A sample of the allegedly leaked data was displayed along with an offer to sell the entire set for US$300. 

Information the alleged hacker claimed to have accessed included names, addresses, phone numbers, ages, and nationalities. Also included were the private medical records of people who had been tested for COVID-19 at a number of different hospitals in well-known tourist hotspot, Bali.

"I sell it to the enthusiast," wrote the hacker in their post, before claiming to have similar data available for purchase, swiped from other parts of Indonesia. Areas that Database Shopping claimed to have targeted included Jakarta and the West Java provincial capital of Bandung.

The Indonesian government has denied that a breach of any COVID-19 test data has taken place. However, an investigation into the alleged hack has been launched by the Communication and Information Technology Ministry and the national police's criminal investigation department. 

Communication and information technology minister Johnny Plate said the matter was being examined by the National Cyber and Encryption Agency.

Plate told The Straits Times on June 21: "The Covid-19 database and the results of the examinations at the ministry's data center are safe."

The minister added that data centers and other ministries and government institutions will be assessed by the ministry to ensure that all data remained secure.

The government's denial of a data breach was seconded on June 21 by the National Cyber and Encryption Agency, according to local Indonesian media. 

Last month, a different hacker advertised for sale on RaidForums the personal data of 15 million Indonesian users of Tokopedia for $5,000.

Categories: Cyber Risk News

Stalker Online Breach: 1.3 Million User Records Stolen

Info Security - Mon, 06/22/2020 - 11:00
Stalker Online Breach: 1.3 Million User Records Stolen

Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums.

Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers from CyberNews.

The firm explained that the passwords were stored only in MD5, which is one of the less secure encryption algorithms around.

Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another of 136,000 records.

It appears as if a hacker compromised a Stalker Online web server before stealing the user data and posting a link on its official website as proof.

After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based Wargaming.net.

Both databases were hosted on legitimate e-commerce site Shoppy.gg, which removed the content when advised by the white hats within a day.

“However, the fact that the storefront was operational for almost a month may suggest that copies of the database containing 1.2 million user records may have been sold on the black market to multiple buyers,” they explained.

“In addition, the removal of the databases from the e-commerce platform does not preclude the hacker from putting them up for sale someplace else. This means that all Stalker Online players should consider their records to still be compromised.”

Although the stolen information didn’t contain any financial data, there’s plenty that cyber-criminals could do with the haul, including credential stuffing, follow-on phishing attacks, email and phone spam, cracking open the email passwords and even holding the gaming accounts themselves ransom.

“Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said.

Categories: Cyber Risk News

Online Fraudsters Steal £17m Over #COVID19 Lockdown

Info Security - Mon, 06/22/2020 - 09:30
Online Fraudsters Steal £17m Over #COVID19 Lockdown

Nearly £17m has been lost to online fraud over the COVID-19 lockdown period with younger shoppers most affected, according to Action Fraud.

The UK’s National Fraud and Cybercrime Reporting Center claimed that online scams had snared 16,352 victims with online shopping and auction fraud since bricks and mortar stores were ordered to close on March 23.

That amounts to around £16.6m in losses, with the largest group of victims (24%) aged 18 to 26 and residing in cities including London, Birmingham, Manchester, Leeds, Sheffield, Liverpool, Bristol and Nottingham.

In many cases, consumers purchased items such as mobile phones (19%), vehicles (22%), electronics (10%) including gaming kit and laptops, and footwear (4%) but they never arrived. Fraudulent sellers were most likely to be found on eBay (18%), Facebook (18%), Gumtree (10%) and Depop (6%).

Pauline Smith, head of Action Fraud, explained that the trend for younger consumers falling victim most frequently existed long before COVID-19.

“It’s important to shop on sites you know and trust. If you’re using a site you’ve not used before, do your research and check reviews before making a purchase,” she said.

“Always be wary of emails, texts and social media posts that offer products for considerably less than their normal price – this is a common tactic used by criminals. Where possible, use a credit card to make online purchases as this will offer you more protection if anything goes wrong.”

Ben Tuckwell, district manager at RSA Security UK & Ireland, argued that fraudsters thrive in times of disruption.

“The recent shift to e-commerce has been critical for both consumers and the economy, but fraudsters have been quick to take advantage too. In fact, in the first three months of 2020, RSA recovered details of over five million unique compromised cards globally,” he said.

“Banks, card issuers and retailers alike must also step up the war on fraudsters, both in times of crisis and in the future as shopping increasingly moves online. Pioneering businesses are already applying machine learning to better predict whether a payment is likely to be fraudulent.”

Categories: Cyber Risk News

North Korean #COVID19 Phishing Campaign Targets Six Countries

Info Security - Mon, 06/22/2020 - 08:36
North Korean #COVID19 Phishing Campaign Targets Six Countries

Security researchers are warning of a multi-country North Korean phishing campaign designed to capitalize on government COVID-19 bail-out measures.

The operation is being undertaken by Pyongyang’s notorious Lazarus Group, and is “designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid,” according to Cyfirma.

The Goldman Sachs-backed cybersecurity startup said that the campaign was slated to launch over the weekend in the US, UK, India, Japan, Singapore and South Korea.

First spotting evidence of the operation at the start of the month, the researchers claim to have found seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance and the US Department of Agriculture.

The group will apparently use millions of email addresses and business contact details to target their victims via these spoofed domains. In many cases the phishing messages will claim to be offering a new government-backed business support payment.

“The hacking campaign involved using phishing emails under the guise of local authorities in charge of dispensing government-funded COVID-19 support initiatives. These phishing emails are designed to drive recipients to fake websites where they will be deceived into divulging personal and financial information,” Cyfirma explained.

“Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability.”

Singapore’s CERT has already issued an alert urging businesses and individuals to be vigilant and avoid clicking on links or opening attachments in unsolicited emails.

Despite this new COVID-themed threat from North Korea, Microsoft claimed last week that malicious emails utilizing the pandemic comprised less than 2% of the total detected by the firm over the past four months.

Categories: Cyber Risk News

FEMA Employee Indicted for Hacking Medical Center

Info Security - Fri, 06/19/2020 - 17:45
FEMA Employee Indicted for Hacking Medical Center

A man from Michigan has been charged with hacking into a medical center's database and stealing the personal information of 65,000 employees.

Federal prosecutors unsealed a 43-count indictment yesterday accusing Federal Emergency Management Agency (FEMA) IT specialist Justin Sean Johnson of illegally accessing data held by the University of Pittsburgh Medical Center (UPMC). 

Johnson allegedly hacked into the center's Oracle PeopleSoft database in January 2014 using the nicknames "TDS" and "DS." The indictment accuses the 29-year-old of exfiltrating personal identifying information and tax data belonging to thousands of center staff, then selling it on the dark web for an undisclosed sum.

Data said to have been stolen and sold by Johnson included employees' names, dates of birth, Social Security numbers, addresses, and salary information.

Prosecutors said that over the course of 2017, unidentified conspirators used the exfiltrated data to file hundreds of phony tax returns that claimed approximately $1.7m in false refunds. These returns were then laundered by being converted into Amazon gift cards that were used to purchase goods worth about $885,000 that were shipped to Venezuela and later sold in online marketplaces.

The indictment charges the alleged cyber-criminal with wire fraud, conspiracy, and aggravated identity theft. If he is convicted on all charges, Johnson could spend 20 years locked up in federal prison. 

Johnson is being held without bond after being arrested by police in Detroit on Tuesday. 

In a statement, the special agent in charge of the US Secret Service field office, Timothy Burke, said: “The health care sector has become an attractive target of cybercriminals looking to update personal information for use in fraud."

UPMC spokesperson Gloria Kreps said identity theft protection monitoring services were provided free to employees affected by the cyber-attack prosecutors have attributed to Johnson.

In an email written to Detroit News, Kreps stated: “At the time of the breach, we helped our employees through the challenge and purchased LifeLock for them for five years for all UPMC employees, 65,000 at that time."

In June 2015, a Pennsylvania judge dismissed a health data breach lawsuit brought against UPMC the year before. The suit was filed by former UPMC employees after a data breach compromised the information of approximately 27,000 members of staff at the center.

Categories: Cyber Risk News

Video Game Creator Battles Racist Bots

Info Security - Fri, 06/19/2020 - 16:45
Video Game Creator Battles Racist Bots

A PC gaming service is taking action to eradicate a growing number of racist bots from one of its leading shoot-em-up titles.

Valve said it has introduced new anti-spam measures to the game Team Fortress 2 in an attempt to "mitigate the use of new and free accounts for abusive purposes."

Earlier this month, Kotaku reported that offensive bots were "running rampant" in TF2, overwhelming chats "with everything from annoying troll-speak to full-on racism." According to the gaming site, the title has been beset by bots "of various types" since early 2020. 

Frustrated players of the game took to TF2's subreddit, Steam forums, Discords, and other communities, asking for Valve to intervene. Players who tried to tackle the bot problem themselves faced the wrath of the bot user community.

One TF2 player, Pazer, created a tool to automatically detect and remove bots from matches in the games. Angry bot users responded by creating a workaround and making a bot to specifically damage Pazer's reputation in the gaming community. 

While the existence of offensive bots in TF2 is nothing new, Gamesindustry.biz reported yesterday that the problem "took a turn for the worse recently as the bots began employing game-breaking hacks and spamming the chat with racist diatribe."

In hopes of tackling the problem, Valve released a new patch on June 16 that restricts certain new accounts from using chat in official matchmaking modes. In announcing the patch, the company said, "Work is ongoing to mitigate the use of new and free accounts for abusive purposes." 

Valve has also updated its Report Player functions, empowering players with the ability to disable in-game voice and text chat.

The widespread popularity of Team Fortress 2 has declined since its release in 2007 as players turn to more modern titles. Because of this drop in the number of users, the team-based shooter is now maintained by a skeleton crew, leaving it vulnerable to attacks by threat actors.

In November 2019, veteran Valve employee Greg Coomer said: "There are very few people working on Team Fortress. I don't know the exact number, but it's hardly anyone anymore."

Categories: Cyber Risk News

US Deports NeverQuest Cyber-Thief

Info Security - Fri, 06/19/2020 - 15:50
US Deports NeverQuest Cyber-Thief

The United States has deported a convicted cyber-criminal and malware creator back to his native Russia. 

Computer programmer Stanislav Vitaliyevich Lisov was arrested by Spanish authorities at Barcelona–El Prat Airport on January 13, 2017, at the request of the FBI, then extradited to the United States on January 19, 2018. 

Lisov is the creator of banking Trojan NeverQuest and part of a criminal enterprise that used the malware in attempts to steal $4.4m from the bank accounts of hundreds of victims. 

The 35-year-old pleaded guilty to one count of conspiracy to commit computer hacking in November 2019 and admitted using NeverQuest to successfully thieve $855,000. He was subsequently sentenced to 48 months in federal prison by the United States District Court for the Southern District of New York.

In addition to his custodial sentence, Lisov was sentenced to three years of supervised release and was ordered to pay forfeiture of $50,000 and restitution of $481,388.04. The maximum sentence he could have been handed would have seen the threat actor spend 35 years behind bars. 

After earning credit for time served, the malware-maker was due to be released in a few months' time. However, the United States opted to deport Lisov to Russia on June 16. 

Lisov spent six days in an immigration detention facility to which he was transferred from a prison in Pennsylvania on June 10. According to Russian Embassy officials in the US, the cyber-criminal was then transported to New York's JFK International Airport, where he boarded a Moscow-bound Aeroflot flight.

Reports at the time of Lisov's capture stated that the malicious actor was on honeymoon in Barcelona with his new wife when Spanish authorities placed him under arrest. 

In a statement to the Russian news outlet RIA Novosti, Alexei Topolsky, a spokesperson for the Russian Consulate General in New York, said Lisov was unrestrained by handcuffs when he arrived for his flight.

According to Topolsky, Lisov, who was dressed in simple clothes and a face mask, "looked like a person who was happy to be going home."

Lisov was met at Sheremetyevo International Airport by his wife, Darya Lisova.

Categories: Cyber Risk News

Facebook Pulls Trump Campaign Ad Featuring Nazi Symbol

Info Security - Fri, 06/19/2020 - 11:00
Facebook Pulls Trump Campaign Ad Featuring Nazi Symbol

Facebook has removed advertising for Donald Trump’s re-election campaign because it featured a symbol heavily associated with Nazi Germany, in a move likely to dial-up tensions in the US.

The inverted red triangle featured in the ad was reportedly used by the Nazis to mark out political prisoners in concentration camps.

It ran alongside a message from the President claiming that ‘far-left mobs’ are causing mayhem in the US and that left-wing activists loosely labelled “antifa” should be branded a terrorist organization.

“We don’t allow symbols that represent hateful organizations or hateful ideologies unless they are put up with context or condemnation,” Facebook’s head of cybersecurity policy, Nathaniel Gleicher, said in a brief statement.

“That's what we saw in this case with this ad, and anywhere that that symbol is used we would take the same actions.”

Other ads from the same campaign not featuring the symbol were left up, despite their dubious claims.

In fact, Facebook has come under increasing pressure of late to fact-check and remove misleading political ads, or ban them altogether like Twitter.

The social network disappointed many this week when it announced it would merely allow users to switch off social issue, electoral or political ads from candidates or political action committees in their Facebook or Instagram feeds.

This comes after a January update in which Facebook said it would help users to limit the number of political ads they see.

That isn’t good enough for the Biden election campaign. It has begun a petition calling on the social network to ban threatening behavior and lies about how to vote, and wants all political ads to be fact-checked for the two weeks running up to the election.

On the other side, Trump issued an executive order effectively preventing social media companies from fact-checking political statements.

Facebook has been at pains not to take sides in an increasingly fractious debate. In fact, it controversially left up incendiary remarks by Trump which some have claimed were an incitement to violence during recent civil unrest.

Categories: Cyber Risk News

Malicious Chrome Extensions Downloaded Over 33 Million Times

Info Security - Fri, 06/19/2020 - 09:30
Malicious Chrome Extensions Downloaded Over 33 Million Times

Google has removed scores of malicious and fake Chrome extensions being used in a global eavesdropping campaign.

The threat was spotted by Awake Security, which detected 111 of the malicious extensions over the past three months. When it notified Google of the issue last month, it claimed that 79 were present in the Chrome Web Store, where they had been downloaded nearly 33 million times.

Figures for the others not in the official marketplace are hard to calculate for obvious reasons.

“These extensions can take screenshots, read the clipboard, harvest credential tokens stored in cookies or parameters, grab user keystrokes (like passwords), etc,” it said in a report detailing the investigation.

“After analyzing more than 100 networks across financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government organizations, Awake discovered that the actors behind these activities have established a persistent foothold in almost every single network.”

Spoofed to appear legitimate, the extensions all sent the data they harvested back to ‘legitimate’ domain registrar GalComm, which Awake argued “is at best complicit in malicious activity.”

Those behind the campaign have worked hard to ensure an almost 100% success rate, evading enterprise security proxies, AV and other defenses.

“One reason for this appears to be a smart method for filtering/blocking requests used by this attack campaign. If the client is connecting to the domain from a broadband, cable, fiber, mobile or similar fixed-line ISP type of network, then the client will be delivered the malicious payload. This allows all normal users and enterprises to pass through the filter,” the report explained.

“If the connection is coming from a data center, web hosting service, transit networks, VPN or proxy, the request is redirected to a benign page.”

In some cases, efforts were made to bypass the Chrome Web Store altogether.

“They do so by loading a self-contained Chromium package instrumented with the malicious plugins,” Awake Security said.

“As most users don’t recognize the difference between Chrome and Chromium, when prompted to make the new browser their default, they frequently do – making their primary browser one which will happily continue to load malicious extensions from other GalComm related sources.”

The report suggested the campaign could be tied to state-sponsored activity.

Categories: Cyber Risk News

Sophisticated State-Backed Attack Rocks Australia

Info Security - Fri, 06/19/2020 - 08:28
Sophisticated State-Backed Attack Rocks Australia

Australian Prime Minister Scott Morrison today warned of a major state-sponsored cyber-espionage campaign targeting government and private sector businesses.

He urged domestic organizations to take steps to improve their resilience, including the use of multi-factor authentication to access cloud and internet-facing systems, and to patch online devices promptly.

“This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure,” Morrison warned.

“We know it is a sophisticated state-based cyber-actor because of the scale and nature of the targeting and the tradecraft used.”

In a technical advisory yesterday, the Australian Cyber Security Centre (ACSC) referred to the state actor’s “copy-paste compromises” — in other words, its heavy use of proof-of-concept exploits, web shells and other elements “copied almost identically from open source.”

The attackers specifically targeted remote code execution vulnerabilities in development tool Telerik UI, Microsoft Internet Information Services (IIS), SharePoint and Citrix.

“The actor has shown the capability to quickly leverage public exploit proof-of-concepts to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public-facing services to quickly target following future vulnerability releases,” the ACSC continued.

“The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organizations.”

When exploits don’t work, the hackers use spear-phishing plus open source and custom tools to achieve persistence. They’ve also been spotted using compromised legitimate Australian websites for command-and-control, in an attempt to hide their activity.

Michael Sentonas, global CTO at CrowdStrike, said his firm had seen a 330% spike in malicious activity in the first half of 2020 versus a year ago, and warned that the lines between e-crime and state-backed attacks are blurring due to increased sophistication of the former.

Having a front line perspective of the rampant threat activity in Australia that occurs every day, including the number of high-profile breaches in recent months, demonstrates the country is not as prepared as we would like to believe,” he added.

“It is positive that this issue is being raised, and governments and organizations must now take action and harden their defenses against an advanced pool of adversaries”.

Given Australia’s recent geopolitical disputes with its larger neighbor to the north, China will be top of the list of suspects in these attacks.

Categories: Cyber Risk News

US Indicts Six Nigerians Over $6m Email Scam

Info Security - Thu, 06/18/2020 - 15:35
US Indicts Six Nigerians Over $6m Email Scam

The United States has sanctioned six Nigerians for operating cyber-scams that stole millions from American victims. 

Indictments were unsealed June 16 against Richard Uzuh, Michael Olorunyomi, Alex Ogunshakin, Felix Okpoh, Nnamdi Benson, and Abiola Kayode. The six men are charged with orchestrating elaborate schemes to defraud Americans through Business Email Compromise (BEC) attacks and romance scams. 

American citizens lost over $6,000,000 after falling victim to scams where the men impersonated business executives and requested and received wire transfers from legitimate business accounts or masqueraded as romantic partners. 

After gaining the trust of their victims, the fraudsters manipulated them into handing over their usernames, passwords, and bank account details in order to steal from them. Several of those who engaged in romance fraud used online tools, including social media and email, to further their social engineering tactics.

Between early 2015 and September 2016, Uzuh and an accomplice would often attack over 100 businesses a day with emails purporting to be from a genuine executive at the target company. By requesting and receiving wire transfers of funds from the victimized firm's bank accounts, the pair were able to steal $6.3m.

Olorunyomi and a co-conspirator led a scheme that preyed on Americans searching for love online. The duo created fake profiles on dating websites and posed as romance seekers to defraud victims out of over $1m between September 2015 and June 2017.

As a result of the sanctions, all property and interests in property of the six men that are in the possession or control of US citizens or within or transiting the United States are blocked, and US persons generally are prohibited from dealing with them.

“Cybercriminals prey on vulnerable Americans and small businesses to deceive and defraud them,” said Secretary of the Treasury Steven Mnuchin. 

“As technological advancement increasingly offers malicious actors tools that can be used for online attacks and schemes, the United States will continue to protect and defend at-risk Americans and businesses.”

In July 2019, Treasury’s Financial Crimes Enforcement Network (FinCEN) released an advisory noting that it received over 32,000 reports involving almost $9bn in attempted theft from BEC fraud schemes targeting US financial institutions and their customers since its 2016 advisory. 

Recovered funds through FinCEN’s Rapid Response Program, in collaboration with law enforcement, recently surpassed $920m.

Categories: Cyber Risk News

ESET Reveals New Insights into Espionage Group InvisiMole

Info Security - Thu, 06/18/2020 - 15:08
ESET Reveals New Insights into Espionage Group InvisiMole

In-depth insights into the operations and methods of the elusive InvisiMole organization have been revealed by ESET following an investigation into a new campaign by the espionage group. In this campaign, the group targeted a number of high profile military and diplomatic bodies in Eastern Europe from late 2019 until at least June 2020.

ESET investigators found that InvisiMole collaborated with another cyber-threat actor, Gamaredon, to help it make attacks. Gamaredon would infiltrate the network of interest, potentially gaining administrative privileges, before InvisiMole moved in to launch malware.

ESET researcher Zuzana Hromcová explained: “Our research suggests that targets considered particularly significant by the attackers are upgraded from relatively simple Gamaredon malware to the advanced InvisiMole malware. This allows the InvisiMole group to devise creative ways of operating under the radar.”

The team also discovered four different execution chains InvisiMole uses, created by combining malicious shellcode with legitimate tools and vulnerable executables. The group’s malware is able to remain hidden by protecting components with per-victim encryption, meaning the payload can only be decrypted and executed on the affected computer. InvisiMole was also observed to have a new component that uses DNS tunneling for stealthier C&C communication.

“We were able to document the extensive toolset used for delivery, lateral movement and execution of InvisiMole’s backdoors,” noted Anton Cherepanov, the ESET malware researcher who led the investigation.

InvisiMole is understood to have been active since at least 2013, and has been connected to cyber-espionage campaigns in Ukraine and Russia, including spying on victims using two feature-rich backdoors. The new analysis highlights how the group has significantly improved its abilities to conduct cyber-espionage.

Hromcová added: “With this new knowledge, we’ll be able to track the group’s malicious activities even more closely.”

Categories: Cyber Risk News