Feed aggregator

Cyber-Attack on Rialto School District

Info Security - Tue, 08/25/2020 - 17:31
Cyber-Attack on Rialto School District

A cyber-attack has shut down virtual classes in a Los Angeles school district two weeks after the FBI issued a cybersecurity warning to schools offering online learning.

In a grim foreshadowing of what was to come, FBI supervisory special agent Corey Harris said on August 11: “We want all school districts to be prepared and understand that there’s a possibility that they could be attacked."

"With so many kids that will be conducting school virtually, that increases the risk. That opens the door for an attacker to actually compromise either the school district’s network or the kids’ computers."

Online classes were suspended at the Rialto Unified School District on Monday following a malware attack

statement posted on the district’s website on Sunday said that online learning hosted by its Bridge Academy had been halted indefinitely while an investigation was underway to determine the “nature and scope” of the cyber-attack. 

The statement read: “Rialto Unified School District has been affected by malware, which is software that is specifically designed to disrupt, damage or gain unauthorized access to the computer system. RUSD instruction will be suspended until further notice, while we investigate the nature and scope of the malware.

“We understand that this news is difficult in these already challenging times and we appreciate your patience while we work to address this issue."

District spokesperson Syeda Jafri said that information technology department staff were working “day and night” to give students back access to an education. She urged students who have assigned devices linked to the district’s server not to use them until the current situation has been resolved.

Computer equipment issued to students by the school will be collected and checked to make sure it is secure. 

The Rialto Unified School District includes three high schools, one alternative/adult education school, five middle schools, and 19 elementary schools. More than 25,000 students residing in Rialto or neighboring cities, including Bloomington, Colton, Fontana, Lytle Creek, and San Bernardino, attend school in the district.

Other school districts, including the Lake Elsinore Unified School District, also had disruptions on Monday after some teachers and students were locked out of Zoom.

Categories: Cyber Risk News

National Cyber League Registration Opens

Info Security - Tue, 08/25/2020 - 16:53
National Cyber League Registration Opens

Registration for the fall season of the National Cyber League (NCL) opened yesterday.

The league provides an exciting virtual environment in which students of all levels can apply their cybersecurity skills to real-world scenarios encountered by professionals in the cybersecurity industry. 

Cyber league participants will be tasked with taking both offensive and defensive action to neutralize threats, break into websites, crack passwords, and expose the identities of hackers.

This season's mock challenges include catching an insider threat as they use a company's new remote working policy to secretly exfiltrate company data while working from home. 

Another scenario involves preventing a malicious actor from exploiting a vulnerability in a database to gain access to a computer. 

A spokesperson for the NCL said: "The puzzle-oriented, capture the flag style, offensive and defensive challenges are rooted in the CompTIA Security+ and EC-Council Certified Ethical Hacker performance-based exam objectives."

While fun is a major component of the NCL challenges, students who complete them will walk away with more than just great memories.

"Players also receive Scouting Reports they can share with potential employers to highlight their success within each challenge objective," said the spokesperson.

"Players do not just build skills relevant to a lucrative career; they become part of a like-minded community of cyber heroes and heroines who join forces to better their skills."

Kaitlyn Bestenheider first competed in the NCL in 2015. Now the information security analyst at Tevora is the league's chief player ambassador, responsible for creating and managing the first and only coaching guide recognized and approved by the NCL. 

"I am just one of many success stories to come out of the NCL games," said Bestenheider. 

"Now, my team and I are listening to players and advocating for them; representing the views, perspectives and values of the players; and campaigning for new programs and partnerships. Our NCL Player Ambassador Board has many exciting things planned, and we can't wait to share all of this with our players."

The NCL is a nonprofit cybersecurity competition that was founded in 2011 by an alliance of public agencies dedicated to developing the next generation of cybersecurity professionals. Around 10,000 students compete in the league every year.

Categories: Cyber Risk News

FBI Investigates COVID-19 Patient Data Breach

Info Security - Tue, 08/25/2020 - 16:38
FBI Investigates COVID-19 Patient Data Breach

The FBI is investigating a data breach that exposed the personal information of South Dakota residents who had contracted COVID-19. 

The data breach took place in June when a database shared between the Department of Health and law enforcement agencies was exposed by a third-party vendor.

Information stored in the database was used to establish an online portal designed to reduce the chances of law enforcement officers and medics' catching the novel coronavirus in the course of performing their duties. The portal allowed first responders to contact a dispatcher and find out if someone at an address to which they were being sent had tested positive for the virus.

Netsential.com, Inc., a web development company used by law enforcement agencies and fusion centers across the United States, hosted the database on its servers. The data breach happened on June 19 when Netsential added labels to a file that could allow a third party to identify a COVID-19 status if it were removed from the system.

Information exposed in the incident included names, addresses, dates of birth, and infection status. Department of Public Safety (DPS) officials said no Social Security numbers or financial data was compromised. 

The DPS informed COVID-19 patients in a letter dated August 17 that their data may have been exposed. The letter, signed by DPS director Paul Niedringhaus and seen by Rapid City Journal, warns patients that their information may now be accessible online.

“This information may continue to be available on various internet sites that link to files from the Netsential breach,” the letter states. “The list did not include any financial information, Social Security numbers, or internet passwords of any individuals.”

Recipients of the letter are advised to visit a webpage titled “South Dakota Consumer Protection” from the Office of the Attorney General. The page contains advice on preventing identity theft and securing information. 

“The letter speaks for itself, and because this is an FBI-led criminal investigation, we cannot comment any further,” said DPS public information officer Tony Mangan.

Netsential hit the headlines in June after thousands of US police records were exposed in a cyber-incident dubbed BlueLeaks.  

Categories: Cyber Risk News

Nearly Half of UK IT Leaders Have Not Upgraded to Cloud Security

Info Security - Tue, 08/25/2020 - 14:00
Nearly Half of UK IT Leaders Have Not Upgraded to Cloud Security

Nearly half (47%) of UK IT leaders have not updated their security strategies to account for their move to cloud environments, putting their organizations at higher risk of cyber-attack, according to a new study by Trend Micro commissioned for CLOUDSEC Online.

This is despite the fact that traditional on-premises security such as firewalls, network intrusion prevention systems (IPS/IDS) and anti-virus are unsuitable for cloud environments as they tend to create performance bottlenecks and security gaps.

Yet the survey showed that many IT leaders are keen for a single platform to provide cloud and on-premises security, with lack of integration between the two types of tooling cited by 43% of respondents as the biggest barrier to the adoption of cloud security. Additionally, 33% stated that this integration issue was their biggest day-to-day operational headache.

Over half (55%) also expressed a desire for third-party security providers to integrate with multiple platform and application vendors, while 54% want a security vendor “aligned” to their cloud journey.

The report noted that security vendor integration is becoming more important as organizations increasingly shift to multi-cloud environments.

Bharat Mistry, principal security strategist at Trend Micro, commented: “This is particularly concerning as 23% of organizations explained that they’ve already moved partly or fully to a DevOps model in order to drive digital transformation. Container, serverless and other emerging technologies require specially designed security capabilities delivered as application program interfaces (APIs) in order to provide appropriate protection without interrupting development pipelines.”

Earlier this month, the 2020 Cloud Security Report revealed that configuration errors are the number one threat to cloud security in the view of industry professionals, with multiple barriers to the further adoption of cloud services outlined by those surveyed.

Categories: Cyber Risk News

Palo Alto Networks to Acquire Crypsis Group

Info Security - Tue, 08/25/2020 - 12:45
Palo Alto Networks to Acquire Crypsis Group

Palo Alto Networks has announced its intention to acquire consultancy Crypsis Group.

The two companies have entered into a definitive agreement which will see Palo Alto Networks acquire the incident response, risk management and digital forensics consulting firm for a total purchase price of $265m. The proposed acquisition is expected to close during Palo Alto Networks’ fiscal first quarter, subject to the satisfaction of regulatory approvals and other customary closing conditions.

Part of the ZP Group, an organization with a portfolio of companies specializing in breach response, national security solutions and IT staffing, the Crypsis Group consists of more than 150 security consultants, responding to more than 1300 security engagements per year. The firm’s CEO, Bret Padres, will join Palo Alto Networks, and he said: “We have dedicated ourselves to creating a more secure world through the fight against cybercrime. Together with Palo Alto Networks, we will be able to help businesses and governments better respond to threat actors on a global scale.”

Palo Alto Networks said the acquisition will strengthen the ability of its Cortex XDR to collect rich security telemetry, manage breaches and initiate rapid response actions. It said it expects to integrate Crypsis Group’s processes and technology into Cortex XDR to further enhance its ability to safeguard organizations at every stage of the security lifecycle.

Nikesh Arora, chairman and CEO, Palo Alto Networks, said: “The proposed acquisition of the Crypsis Group will significantly enhance our position as the cybersecurity partner of choice, while expanding our capabilities and strengthening our Cortex strategy. By joining forces, we will be able to help customers not only predict and prevent cyber-attacks but also mitigate the impact of any breach they may face.”

Categories: Cyber Risk News

Eight Million Freepik Users Suffer Data Compromise

Info Security - Tue, 08/25/2020 - 11:30
Eight Million Freepik Users Suffer Data Compromise

Popular stock photo site Freepik has disclosed a major data breach affecting over eight million customers.

The incident also affected users of the sister site Flaticon, which claims to run the world’s largest database of free icons.

In a breach notice over the weekend, the firm claimed an attacker had compromised an SQL injection vulnerability in the Flaticon site which allowed them to access user information in a database.

Of the 8.3 million customers affected, all had their email address taken, and nearly 3.8 million had a hashed password for the site also stolen.

Most (3.6 million) were encrypted with bcrypt, whilst 229,000 were protected with the less secure MD5. The latter have since been upgraded to bcrypt.

The remaining 4.5 million users logged in with their federated Google, Facebook or Twitter credentials so the hacker only got away with their emails. However, these could still be used to craft phishing emails requesting password confirmation.

The firm does appear to have acted swiftly to mitigate the issue, claiming to regularly review customer emails and passwords that end up on the web and notify affected customers if they find one.

“Those who had a password hashed with salted MD5 got their password cancelled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” explained Freepik.

“Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”

Jayant Shukla, CTO and co-founder of K2 Cyber Security, argued that firms need to do more to mitigate the risk of SQL injection exploitation, which remains one of the most popular among attackers.

“Organizations need to take action to better protect themselves against SQL vulnerabilities: 1) implement better coding practices to prevent SQL injection, 2) run better tests for SQL injection vulnerabilities before code makes it to production and 3) make sure they have protection against SQL injection attacks during runtime,” he said.

Categories: Cyber Risk News

F-Secure: Enhance EDR to Stop Lazarus Group

Info Security - Tue, 08/25/2020 - 10:15
F-Secure: Enhance EDR to Stop Lazarus Group

Security researchers have urged organizations to upskill incident detection and response teams, after revealing a new Lazarus Group attack which managed to bypass advanced EDR and network security at a cryptocurrency firm.

The tactical intelligence report details an attack which took place last year as part of the North Korean state-sponsored group’s wider multi-year campaign against crypto firms. Active since 2018, the attackers are likely to have used the same artifacts in at least 14 countries: the United States, China, the United Kingdom, Canada, Germany, Russia, South Korea, Argentina, Singapore, Hong Kong, Netherlands, Estonia, Japan and the Philippines.

Lazarus Group invested “significant effort” to bypass the victim organization’s cyber-defenses, such as by disabling AV on compromised hosts and removing evidence of malicious implants. However, these actions were “noisy” in themselves and served as clear signs that should have been picked up, said F-Secure.

The group also used native OS utilities to blend in, but again “elements of the commands used will often be anomalous and use specific esoteric strings that offer blue teams detection opportunities,” said F-Secure.

“These commands can blend in with standard activity, so it may not be possible to build high fidelity detection for all the techniques used,” the report noted.

“In this situation the use of lower fidelity detections that are then aggregated on a host basis in order to correlate activity and build intelligent thresholding in to alerting systems can help to detect malicious activity without generating too many false positives.”

In fact, Lazarus Group has been using the same family of tooling observed back in 2016. It is still effective because of these obfuscation techniques, although this offers further opportunities for detection.

F-Secure concluded that effective detection and response is not simply about having the right tools, but also the users who know what to look for.

“The target in this investigation had a leading EDR and network security tool installed that captured telemetry of Lazarus Groups actions, but this did not result in a positive detection that was actioned,” it argued.

“It is F-Secure’s view that people play an important role in building effective detection capability, and this incident serves as an example of the need to invest in people as well as technology.”

Categories: Cyber Risk News

Low-Skilled Iranian Hackers Spotted Using Dharma Ransomware

Info Security - Tue, 08/25/2020 - 09:15
Low-Skilled Iranian Hackers Spotted Using Dharma Ransomware

A group of “newbie” Iranian hackers have been blamed for attacks using the Dharma ransomware variant on targets in Russia and Asia.

The threat actors’ relative inexperience was highlighted by several characteristics of the attacks against companies in Russia, Japan, China and India, according to Group-IB.

First is the choice of a ransomware-as-a-service model employed by Dharma (aka Crysis) and publicly available IP scanning tool Masscan. They also used NLBrute to brute-force their way through weak  RDP credentials and to check the validity of obtained credentials on other accessible hosts in the network.

“Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once they established the RDP connection, they decide on which tools to deploy to move laterally. For instance, to disable built-in anti-virus software, the attackers used Defender Control and Your Uninstaller,” the security firm continued.

“To scan for accessible hosts in the compromised network, threat actors used Advanced Port Scanner — another publicly available tool. After the network reconnaissance activities were completed, the adversary used collected information to move laterally though the network using the RDP protocol.”

The group also demanded a relatively small ransom of 1-5 BTC.

Senior digital forensics specialist, Oleg Skulkin, argued that in spite of the use of fairly common TTPs, the group appears to have been quite effective.

“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage,” he added.

Group-IB recommended organizations change the default RDP port from 3389 to another, and enable account lock-out policies to tackle brute-force attempts, as well as invest in intrusion detection tools to spot unusual behavior inside the network.

Categories: Cyber Risk News

Malicious Actors Impersonating Bitcoin Platform to Launch Malware Attacks

Info Security - Tue, 08/25/2020 - 08:25
Malicious Actors Impersonating Bitcoin Platform to Launch Malware Attacks

Cyber-criminals have been impersonating the well-known Bitcoin BTC ERA trading platform in order to infect users of the online currency with malware, according to new research from Abnormal Security.

The cybersecurity firm found that malicious actors have been sending emails purporting to be from BTC Era that encourage users of Bitcoin to pay for what they believe is an investment.

The automated email addresses the recipient by name and says they have been approved to make a BTC transaction that requires a minimum deposit of $250 to start. The message includes a concealed URL with text that reads “create an account.” Once this link is clicked, there are multiple redirects before landing on the theverifycheck.com webpage, and once on the landing page a pop-up alert requests permission to show notifications from the website.

If the user clicks allow, it gives permission for Adware to run on their device. Although it appears as though nothing has happened, the website is in fact enabling the user’s behavior to be monitored through malware and for ads and spam to be launched that target them.

Abnormal Security added that the scammers utilized the email marketing provider, Constant Contact, which enabled them to deliver a widespread attack to multiple recipients at the same time. It noted that this “takes less effort than spoofing emails and is more effective in casting a wide net to catch unsuspecting recipients.”

Ken Liao, vice-president of cybersecurity strategy at Abnormal Security, commented: “We have seen that over the last few months the weekly volume of attacks impersonating Bitcoin platforms has remained relatively constant. We saw an increased rate of these impersonations between the end of March through the beginning of May, though.”

He added: “We would advise organizations and their employees to double check the senders and addresses for messages to ensure that they’re coming from legitimate sources. Don’t just trust the display name. In addition, we would advise everyone to always double check the webpage’s URL before signing in.

“Attackers will often hide malicious links in redirects or host them on separate websites that can be reached by safe links. This allows them to bypass link scanning within emails by traditional email security solutions. If the URL looks suspicious, don’t enter your credentials and always verify with your company’s IT department."

Categories: Cyber Risk News

Hacker Disrupts North Carolina School Lesson

Info Security - Mon, 08/24/2020 - 17:35
Hacker Disrupts North Carolina School Lesson

The first day of online classes at a North Carolina school was memorable for all the wrong reasons after a hacker disrupted a lesson with offensive content. 

Virtual classes, taught via Google Meet, began at Lee County High School, Sanford, on Monday, August 17, as part of an effort to slow the spread of COVID-19. 

Students who logged on to a virtual Spanish class were shown racist, violent, and pornographic content by an unknown person who gained access to the lesson. The upsetting incident was witnessed by parents, a teacher, and around 20 students in the 10th grade.

Mom Shauna Roberts, who was watching her daughter's computer screen as the cyber-attack unfolded, said she was shocked by what she saw. 

"There were pictures of Nazi symbols. They were showing videos of African Americans being shot," said Roberts.

"There were also pictures of Donald Trump along with the KKK that were popping up. It was just disturbing all the way together."

According to Roberts, the prolonged attack lasted around 30 minutes and included the recital of racist slurs. She said parents, alerted to the incident, tried to protect their children from what was happening.

“You could actually see parents coming into the camera seeing the content as well. You could see a couple of parents actually making their kids move away from their computer so they could see what was going on," said Roberts.

"I think it’s just sad that our children are supposed to be online learning, but they are being exposed to this type of content."

In a statement given to WRAL News, Lee County High School wrote: "It appears that this was an inadvertent approval of an outside address requesting access; however, the incident is currently under investigation by both law enforcement and the district’s technology department. We take the security of online classes very seriously and are reviewing all protocols to make sure this does not happen again.”

Similar problems occurred at Oberlin Magnet Middle School on Tuesday, and at Millbrook Magnet High School in Raleigh, online lessons in Google Meet were disrupted by a group of students who "used inappropriate and offensive language as well as insulted students and teachers directly."

Categories: Cyber Risk News

US Makes Second Espionage Arrest in a Week

Info Security - Mon, 08/24/2020 - 16:42
US Makes Second Espionage Arrest in a Week

The United States has arrested a former US Army Special Forces officer for allegedly passing national defense information to Russian intelligence operatives. 

Peter Rafael Dzibinski Debbins was arrested on Friday and charged with conspiring to provide United States national defense information to agents of a foreign government. 

Debbins' arrest comes a week after Hawaii resident and former Central Intelligence Agency officer Alexander Yuk Ching Ma was charged with selling secrets to the People's Republic of China over the course of a decade.

It is alleged that Debbins conspired with Russian spies for an even longer period, from December 1996 to January 2011. Court documents state that the 45-year-old resident of Gainesville, Virginia, was assigned a code name by Russian intelligence officials in 1997 after he signed a statement saying that he wanted to serve Russia.

According to the allegations, Debbins provided the Russian intelligence service GRU with information about his chemical and Special Forces units. After leaving active duty service in 2008, Debbins passed on classified information about his previous deployments. 

Debbins is further accused of helping Russian intelligence agents in their efforts to recruit other spies within the United States Army. He allegedly provided agents with the names of, and information about, his former Special Forces team members. 

This information was used by agents when deciding who to approach regarding cooperating with the Russian intelligence service.

“Two espionage arrests in the past week — Ma in Hawaii and now Debbins in Virginia — demonstrate that we must remain vigilant against espionage from our two most malicious adversaries — Russia and China,” said John C. Demers, assistant attorney general for national security.  

“Debbins violated his oath as a US Army officer, betrayed the Special Forces and endangered our country’s national security by revealing classified information to Russian intelligence officers, providing details of his unit, and identifying Special Forces team members for Russian intelligence to try to recruit as a spy. Our country put its highest trust in this defendant, and he took that trust and weaponized it against the United States.”

If convicted, Debbins faces a maximum penalty of life in prison.  

Categories: Cyber Risk News

TeamViewer Flaw Risks Password Exposure

Info Security - Mon, 08/24/2020 - 16:12
TeamViewer Flaw Risks Password Exposure

A vulnerability in the TeamViewer app could allow malicious actors to steal passwords. 

The high-severity flaw was discovered in the desktop version of the app for Windows before 15.8.3. By exploiting the weakness, authenticated threat actors operating remotely could execute code on victims' systems or crack their TeamViewer passwords. 

TeamViewer is a proprietary software application that allows users to control a range of smart devices remotely to perform functions like file transfers, desktop sharing, and web conferencing. 

As a result of flaw CVE-2020-13699, TeamViewer Desktop for Windows does not properly quote its custom URI handlers. Because of this, an attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. 

Victims could also be persuaded to go to a specific website set up by threat actors to steal credentials or personal data.

The flaw's discoverer, security engineer at Praetorian Jeffrey Hofmann, explained: "An attacker could embed a malicious iframe in a website with a crafted URL that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share." 

According to Hofmann, most web browsers are set up to prevent attacks like this from happening.

He said: “Every modern browser except for Firefox URL encodes spaces when handing off to URI handlers which effectively prevents this attack.”

TeamViewer versions prior to 15.8.3 are vulnerable to the flaw, which has been fixed in the latest release. 

Andy Harcup, VP, Absolute Software, commented: “Security flaws in certain software and applications will always be located and exploited by opportunistic cyber attackers, and this latest revelation could potentially impact millions of Windows users.”

Harcup advised companies to protect their operating system by keeping up with the latest security updates. 

“For users to ensure that they are kept safe from the influx of cyber-attacks now facing them, the IT operations team must ensure their systems are kept up-to-date, whilst training their staff to simultaneously maintain a high level of online vigilance and awareness toward internet safety protocol. It is important for enterprises to keep the operating system up to date with the latest security updates in order to ensure maximum protection.”

Categories: Cyber Risk News

Kaseya Acquires Phishing Defense Platform Graphus

Info Security - Mon, 08/24/2020 - 14:25
Kaseya Acquires Phishing Defense Platform Graphus

IT infrastructure and security management solutions provider Kaseya today announced the acquisition of Graphus, an automated phishing defense platform.

The acquisition sees Kaseya boost its security offering and expand its IT Complete platform for MSPs and SMBs. The Graphus solution uses patented AI technology to defend Microsoft Office 365 and G Suite inboxes from a variety of threats delivered via email.

“The acquisition of Graphus catapults IT Complete to the next level and secures Kaseya’s position as the only comprehensive, tightly integrated, cost-effective platform in the industry to deliver all IT and security management needs for MSPs and SMBs in a single platform,” said Fred Voccola, CEO of Kaseya. “Kaseya can speak to Graphus’ impressive capabilities first-hand, having been a customer for nearly a year.

“With Graphus protecting over 3200 Kaseya inboxes and processing over 22 million of our emails, we’ve eliminated about 250,000 unsafe emails, quarantined nearly 15,000 phishing attacks and blocked 3400 executive spoofing and 2400 impersonation attacks. Having seen these outstanding results for ourselves, I’m even more excited to extend the same unmatched protection to our customers so they can close the security gaps of their cloud email platforms and, for MSPs, provide a low-cost solution to generate additional profits.”

Manoj Srivastava, CEO and co-founder of Graphus, added: “We’re thrilled to join the Kaseya family and integrate Graphus into Kaseya’s IT Complete platform. With phishing attacks on the rise, Kaseya customers can now amplify their existing suite of security tools with Graphus’ powerful automated email defense to create the most comprehensive, end-to-end security stack possible.” 

Graphus will continue to operate as an independent business within Kaseya, led by Srivastava.

Categories: Cyber Risk News

APT Group’s Worldwide Targeting of Small and Medium Businesses Revealed

Info Security - Mon, 08/24/2020 - 13:42
APT Group’s Worldwide Targeting of Small and Medium Businesses Revealed

A detailed analysis of the APT group DeathStalker has been published today by Kaspersky, highlighting the scale of its operations throughout the world, from Europe to Latin America.

The ‘hacker-for-hire’ organization is known to have been active since at least 2012, primarily focusing on small and medium firms in the financial sector through commercial cyber-espionage campaigns.

Kaspersky said the research demonstrates that small and medium sized companies, as well as larger businesses and government organizations, must be prepared to deal with the threats posed by APT actors such as DeathStalker.

Through tracking the group from 2018, Kaspersky has been able to link its activities to the three malware families Powersing, Evilnum and Janicub, with “medium confidence.”

DeathStalker’s main method of attack is to deliver archives containing malicious files through tailored spear-phishing emails. A malicious script is executed and further components are downloaded from the internet when a user clicks the shortcut, which gives the attackers control of the victim’s machine.

Kaspersky added that in its Powersing campaigns, DeathStalker has become adept at evading detection by placing dead drop resolvers on legitimate social media, blogging and messaging services. Once infected, victims would reach out to and be redirected by these resolvers, which hides the communication chain.

Powersing-related attacks were detected by Kaspersky in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE, while Evilnum victims were located in Cyprus, India, Lebanon, Russia and the UAE, demonstrating the extent of DeathStalker’s activities around the world.

Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT, commented: “DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker reminds us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too.

“Furthermore, judging by its continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organizations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too.”

Last month, Kaspersky uncovered a new cyber-mercenary group known as the “Deceptikons,” which has been providing hacking services for hire for almost a decade.

Categories: Cyber Risk News

Alarm Sounded as “Aggressive” Vishers Target Home Workers

Info Security - Mon, 08/24/2020 - 11:01
Alarm Sounded as “Aggressive” Vishers Target Home Workers

The US government has been forced to issue an alert warning home workers of an aggressive new vishing campaign targeting corporate accounts.

The joint advisory came from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) at the end of last week.

It claimed that the attackers first registered domains, obtained SSL certificates and created legitimate-seeming phishing pages mimicking firms’ VPN log-in pages.

They then “compiled dossiers” on potential targets at certain companies by scraping publicly available info from social media profiles, recruitment tools and other sites, including their phone numbers.

Next came the vishing part of the scam, in which a smooth-talking fraudster socially engineers their victim into believing they are calling from the IT help desk, or other legitimate body. VoIP numbers were also spoofed to appear as if calls were originating from co-workers.

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account,” the alert explained.

“In some cases, unsuspecting employees approved the 2FA or OTP prompt, either accidentally or believing it was the result of the earlier access granted to the help desk impersonator. In other cases, attackers have used a SIM-Swap attack on the employees to bypass 2FA and OTP authentication.”

According to CISA/FBI, the attackers used their resulting access to employee accounts to carry out further research on victims and fraudulently obtain funds using a variety of methods.

Although the attacks aren’t new per se, they illustrate the willingness of cyber-criminals to push beyond typical targets for these scams, which are in the ISP/telco space.

“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” said CISA/FBI.

Categories: Cyber Risk News

TikTok to Launch Legal Action Against Trump Administration

Info Security - Mon, 08/24/2020 - 09:35
TikTok to Launch Legal Action Against Trump Administration

As predicted, TikTok is taking the Trump administration to court over the President’s Executive Order which will effectively ban the app in the US.

The order, which was issued on August 6, alleged that the social firm’s data collection on large numbers of US citizens exposes them to Communist Party efforts to build “dossiers of personal information for blackmail, and conduct corporate espionage.”

It also argued that the app “reportedly” censors content unpopular among China’s leaders and could be used to spread misinformation. The Commerce secretary now has 45 days to come up with a list of currently ill-defined “transactions” involving TikTok owner ByteDance that should be banned.

In a new statement sent to Infosecurity, TikTok said it was taking legal action — that it had worked "in good faith" to try and allay Trump's concerns, but that it had been deprived of due process. It also argued that the administration "tried to insert itself into negotiations between private businesses."

“To ensure that the rule of law is not discarded, and that our company and users are treated fairly, we have no choice but to challenge the Executive Order through the judicial system,” TikTok said.

Any challenge, however, would not impact Trump’s decision to force a sale of the app in the US to an American company. That order came on August 14 and is not subject to judicial review.

These latest moves by the Trump administration, which included a similar ban on wildly popular messaging platform WeChat (Weixin) in the States, can be seen as part of a wider attempt to remove what are considered untrustworthy Chinese apps from the US.

However, they can also be viewed as an attempt to portray Trump as “strong on China” in the run up to the next Presidential election in November.

Among the suitors lined up with ByteDance for potential acquisition talks are Microsoft and Oracle.

Categories: Cyber Risk News

Travel Site Exposed 37 Million Records Before Meow Attack

Info Security - Mon, 08/24/2020 - 08:30
Travel Site Exposed 37 Million Records Before Meow Attack

The company behind one of India’s most popular travel booking sites exposed 43GB of customer and corporate data before it was deleted by the infamous “Meow” attacker, according to researchers.

A team at SafetyDetectives led by Anurag Sen discovered an Elasticsearch server without password protection or encryption on August 10.

It failed to get a response from the company in question, government-backed travel marketplace RailYatri, but the database was eventually secured after contact was made with India’s national CERT (CERT-In).

However, that was too late to save most of the information stored there: the Meow bot struck on August 12 and apparently deleted all but 1GB of the data.

The trove itself contained an estimated 37 million records linked to around 700,000 unique users of the popular site, a mobile app version of which has been downloaded over 10 million times on Google Play.

Exposed in the misconfiguration were users’ full names, age, gender, physical and email addresses, mobile phone numbers, booking details, GPS location and names/first and last four digits of payment cards.

“Exposed user information could potentially be used to conduct identity fraud across different platforms and other sites,” argued SafetyDetectives.

“Users’ contact details could be harnessed to conduct a wide variety of scams while personal information from the breach could be used to encourage click-throughs and malware downloads. Personal information is also used by hackers to build up rapport and trust, with a view of carrying out a larger magnitude intrusion in the future.”

The firm also warned that exposed data could have put customers in physical danger.

“RailYatri’s server recorded and stored users’ location information when booking their tickets, and also allowed users to track their journey progress with integrated GPS functionality. This information could be used by hackers to locate the nearest cell tower to the user, and potentially, the user’s actual location including current address,” it explained.

“Regular train users generate clear and distinguishable travel patterns which malicious actors could use to commit violent crime directly upon the individual.”

The bot-driven Meow attack campaign has so far destroyed data from thousands of victims, providing an even greater urgency for IT managers to ensure any cloud databases are properly configured.

Categories: Cyber Risk News

Tech Conferences Geared Toward Men

Info Security - Fri, 08/21/2020 - 18:31
Tech Conferences Geared Toward Men

A new report by Ensono has found that tech conferences are geared specifically toward men and are bad at providing an inclusive experience for women of color.

The "2020 Speak Up" report audited 18 major tech conferences from around the world and, in December 2019, surveyed 500 women from the US and the UK who attended a tech conference in the previous 12 months. 

Researchers found that women of color made up only 8% of keynote speakers at tech conferences over the last 3 years. Of the women of color who spoke at conferences, 80% said they were the only woman on the panel who wasn't white.

When it came to experiencing discrimination at a tech conference, 43% of white women said that they had encountered this issue, compared to 59% of women of color.

Of the 59% of women of color who experienced discrimination, 63% said it was race-based, compared to 47% who said it was gender-based.

One survey respondent said: “I have frequently been ignored or assumed to be a secretary or personal assistant because I am female. Men have talked directly to the male accompanying me even though he is my subordinate.”

The study found that conferences were designed with men in mind, with podiums and projectors placed too high, clip-on mic set-ups geared toward lapels and pockets, and bar stools offered that do not allow a wearer of an above-the-knee skirt or dress to sit modestly. 

"Design bias takes a toll on women by making it more tiring, difficult and inconvenient to perform the same tasks that men do," noted researchers.

Tech conference restroom arrangements were similarly found to favor men. Only 24% of survey respondents said they had been to a conference with on-site facilities for nursing mothers, and some women reported attending conferences where there were no women’s bathrooms at all.

The report's authors called for tech conferences to include a provision for anonymous reporting of sexual harassment. 

"Sadly, nearly half of sexual harassment victims and witnesses in our study didn’t report because they were afraid of retaliation from other conference attendees," wrote researchers.

Categories: Cyber Risk News

Reports of Cybercrimes Against Children Double During Pandemic

Info Security - Fri, 08/21/2020 - 17:32
Reports of Cybercrimes Against Children Double During Pandemic

The Tennessee Bureau of Investigation said yesterday that the number of tips received regarding cybercrimes against children has increased sharply since the outbreak of COVID-19.

Speaking to media, TBI Director David Rausch said investigators had received more than twice the usual number of tips concerning this type of cybercrime since the pandemic began. 

In 2020, the bureau has recorded 450 tips on cybercrimes against children, with 122 tips received in the month of March alone. 

Rausch said the rise might be linked to an increase in the amount of time people were spending online since remote working and social distancing became the norm. He warned parents to keep an eye on what their children are doing when they access the internet and to ensure smart devices are used under supervision.

“Our agents have seen children as young as five years old taking photos of themselves and at the direction of someone they communicated with online," said Rausch. 

“We want to encourage parents to be vigilant.  Just as you wouldn’t let strangers into your home, or certainly your children’s bedroom, you shouldn’t let cyber-criminals into your home through phones or other screen sources.”

He advised parents who believe they have witnessed a concerning online interaction between their child and someone else to record the name and contact information of that individual. Rausch said that parents should not try to interact with the individual but should instead contact their local bureau of investigation.  

Speaking to WKRN in February, TBI Special Agent Robert Burghardt said that the bureau took a proactive approach to catching criminals who use the internet to sexually exploit children. Detectives create profiles on popular social media apps like Facebook, Instagram, Snapchat, Kik, and TikTok purporting to be children. 

Burghardt said criminals are quick to connect online with users they believe to be minors.

“I’ve had over a dozen people reply within minutes,” said Burghardt. 

“You see it on the news, and you think eh, it won’t happen here, but it does. It happens every day throughout the state of Tennessee.” 

Categories: Cyber Risk News

Cross-Site Scripting Tops CWE's Most Dangerous List

Info Security - Fri, 08/21/2020 - 16:11
Cross-Site Scripting Tops CWE's Most Dangerous List

Cross-site scripting has topped the 2020 list of the 25 Most Dangerous Software Weaknesses compiled by the Common Weakness Enumeration (CWE). 

The vulnerability, described by the CWE as "improper neutralization of input during web page generation," was given a threat score of 46.82. 

Describing the dangers posed by cross-site scripting (XSS), CWE wrote: "The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. 

"Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as 'drive-by hacking.'"

By comparison, last year's CWE list topper was far more dangerous. The biggest software threat in 2019—improper restriction of operations within the bounds of a memory buffer—received a threat score of 75.56.

The CWE Top 25 is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. 

To create the 2020 list, the CWE team leveraged Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). The team also took into account the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. 

The second biggest weakness identified in this year's list was "out-of-bounds write." This vulnerability was given a threat score of 46.16, just marginally lower than the threat occupying pole position. 

"These aren’t new risks, so why have organizations failed to find these problems before releasing code to production, or failed to protect these vulnerabilities against attack in production?" commented Jayant Shukla, CTO and co-founder of K2 Cyber Security.

"Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect."

Categories: Cyber Risk News